Information technology policy

Purpose

This policy defines the rules that must be observed while conducting RMIT activities using information technology.

Scope

This policy applies to all RMIT University students and staff including staff and students of controlled entities, temporary employees, contractors, visitors and third parties (suppliers) and agents of the organisation who have access to RMIT’s information systems or information, regardless of whether the information is held on RMIT’s premises or at other locations, and/or are bound by RMIT policy where their contract of engagement with the University specifically provides for this.

Policy provisions

1. Information Security

1.1. All staff, students and contractors must ensure RMIT information assets are handled in accordance with its information classification set out in the Privacy and Information Management policy.

1.2. Purpose built information processing facilities and equipment must be housed in secured areas, protected by a defined security perimeter, with appropriate environmental conditions. Only authorised individuals will be granted physical access to these secured areas.

1.3. The transfer of RMIT information must be conducted in accordance with the Privacy and Information Management Policy.

1.4. Business and system owners are responsible for ensuring Information security-related controls are applied to RMIT services, infrastructure, applications and information assets. This includes internally and externally hosted services.

1.5. Security Culture

1.5.1. Staff and students are responsible for keeping information secure and must follow the ITS security requirements.

1.5.2. Staff and students must complete any mandatory compliance course and attend information security training as required.

1.5.3 RMIT must periodically inform students and staff on their accountabilities, responsibilities and appropriate information security practices.

1.6. Third Party Security

1.6.1. Information security clauses must be included in all contracts with third parties if they will have access to our students or RMIT information.

1.6.2. Third party organisations accessing, storing, servicing RMIT information/systems must comply with the Information Technology policy and information security requirements outlined in the contractual agreements.

1.6.3. All third parties who handles or stores student or RMIT information must undergo a periodic information security review.

1.7. Secure System Development

1.7.1. All systems and services must be developed in accordance with RMIT’s Information Security Systems Development Lifecycle (SSDLC).

1.8. Reporting Information Security Incidents

1.8.1. All actual or suspected information security breaches must be reported immediately using the RMIT Information security incident policy process.

1.9. Access Management

1.9.1. Passwords must be set according to the Password controls statement. The Chief Information Security Officer is responsible for establishing and maintaining the password control statement.

1.9.2. The owner of the application or system is responsible for the safekeeping of the (privileged) Administrator password, including the combination of username and password for authentication purposes.

1.9.3. Access owner is responsible for ensuring that provision of access is based on business needs only and granted under the principle of “least possible access”.

1.9.4. End user password(s) must be kept secure and in accordance with the intent of this policy and the Ethics and Integrity Policy.

1.9.5. User’s credentials are reviewed for appropriateness on a periodic basis. It is the responsibility of Line Manager/Asset Owner to ensure user access is maintained for job function only.

2. Sourcing new systems

2.1. Prior to consideration of new technology or changes to existing technology, stakeholders must discuss with their designated Business Technology Partner possible existing system solutions.

2.2. All ICT assets sourced or procured must be assessed by ITS to ensure strategic alignment with Technology Architecture principles and standards defined by the Chief Technology Officer and outlined in the ICT Plan.

3. Corporate mobile devices

3.1. The Cost Centre manager authorises a corporate mobile device to be assigned to an employee. The mobile device remains the property of RMIT at all times.

3.2. Occasional and low-cost personal use is acceptable when related to work activity (for example, when working away from the office or outside of normal working hours to confirm safe arrival or notify delay.) Unacceptable and high-cost personal use may be subject to reimbursement.

3.3. RMIT will not reimburse the cost of phone calls made on behalf of RMIT on personal mobile phones.

3.4. It is the responsibility of the authorised user and relevant cost centre to arrange repairs on damaged devices.

3.5. Mobile devices must not be bought using RMIT issued credit cards.

3.6. The following rules apply for RMIT Melbourne:

3.6.1 All new mobile services and devices must be arranged through SS&P.

3.6.2. SS&P is responsible for ensuring all new or replacement corporate mobile devices and associated services are recorded in the central register.

3.6.3. Changes to existing devices and services, such as reallocation to a new user, must be recorded in the central register by following the Corporate mobile device policy process established and maintained by the Director, Technology-Learning, Teaching and Research.

3.6.4. It is the responsibility of the Cost Centre manager to ensure that a mobile device and SIM is returned by employees when they leave RMIT using the Corporate mobile device policy process established and maintained by the Director, Technology-Learning, Teaching and Research.

3.6.5. Damaged devices must be repaired at an authorised service agent. Details for service agents can be obtained through ITS. Costs associated with repair are the responsibility of the owning cost centre.

3.6.6. Lost or stolen devices must be reported immediately via the Corporate mobile device policy process established by ITS.

3.6.7. Authorised users requiring international roaming services on a University mobile device whilst travelling overseas must complete a Mobile device international travel request as outlined in the Corporate mobile device policy process at least 5 days prior to departure.

3.7. The following rules apply for RMIT Vietnam:

3.7.1. All new mobile services and devices must be arranged through HR.

3.7.2. HR is responsible for ensuring all new or replacement corporate mobile devices and associated services are recorded in the central register.

3.7.3. Changes to existing devices and services, such as reallocation to a new user, must be recorded in the central register by following the process established and maintained by the HR.

3.7.4. It is the responsibility of the Cost Centre manager to ensure that a mobile device and SIM is returned by employees when they leave RMIT using the process established and maintained by the HR.

3.7.5. Damaged devices must be repaired at an authorised service agent. Details for service agents can be obtained through HR. Costs associated with repair are the responsibility of the owning cost centre.

3.7.6. Lost or stolen devices must be reported immediately via the process established by HR.

3.7.7. Mobile device users have an allowance of VND 200000 per month for all phone calls including international roaming.

3.8. The following rules apply for RMIT Training:

3.8.1. All new mobile services and devices must be arranged through IT Operations and Support Manager.

3.8.2. IT Operations and Support Manager is responsible for ensuring all new or replacement corporate mobile devices and associated services are recorded in the central register.

3.8.3. Changes to existing devices and services, such as reallocation to a new user, must be recorded in the central register by following the process established and maintained by the IT Operations and Support Manager.

3.8.4. It is the responsibility of the Cost Centre manager to ensure that a mobile device and SIM is returned by employees when they leave RMIT using the process established and maintained by the IT Operations and Support Manager.

3.8.5. Damaged devices must be repaired at an authorised service agent. Details for service agents can be obtained through IT Operations and Support Manager. Costs associated with repair are the responsibility of the owning cost centre.

3.8.6. Lost or stolen devices must be reported immediately via the process established by Director, IT.

3.8.7. RMIT Training employees travelling overseas must book a time to visit an Infrastructure and Helpdesk Administrator in the RMIT Training IT Group no less than five working days prior to their departure so devices such as smartphones, tablets and laptops can be configured correctly to support them while travelling overseas.

3.9. The following rules apply for RMIT Europe:

3.9.1. All new mobile services and devices must be arranged through the Finance Officer with approval from the Senior Manager, Planning and Resources.

3.9.2. The Finance Officer is responsible for ensuring all new or replacement corporate mobile devices and associated services are recorded in the central register.

3.9.3. Changes to existing devices and services, such as reallocation to a new user, must be recorded in the central register by following the process established and maintained by the Finance Officer.

3.9.4. It is the responsibility of the Cost Centre manager to ensure that a mobile device and SIM is returned by employees when they leave RMIT using the process established and maintained by the Finance Officer.

3.9.5. Damaged devices must be repaired at an authorised service agent. Details for service agents can be obtained through Finance Officer. Costs associated with repair are the responsibility of the owning cost centre.

3.9.6. Lost or stolen devices must be reported immediately to the Senior Manager, Planning & Resources.

3.9.7. International roaming must be requested in advance and approved by the Cost Centre manager.

4. Policy exemption

4.1. Exemptions from this policy and other RMIT policies relating to ITS use must be sought using the ITS Policy exemption request policy process determined by the Chief Information Security Officer. Exemptions must be sought prior to undertaking investigation of alternatives.

[Next: Definitions]