The Cyber Security Strategy (PDF, 366KB) works in conjunction with Information Technology to support UQ’s strategic direction to create “knowledge leadership for a better world”.

This strategy addresses the challenges of cyber security at the University and defines a vision, mission and distinct goals that aim to address and resolve these challenges.

1. Vision, mission and principles

Vision

Information services that are underpinned by a well-implemented end-to-end security program to deliver optimised risk management while enabling innovation and agility.

Cyber security services that provide assurance and metrics to the University to permit sound, evidence-based decision-making to facilitate the University’s mission. A security-oriented culture extending from information and communication technology (ICT) specialists to the entire UQ community, enabling effective consideration of cyber security concerns across academic, research, support and ICT domains.

Mission

To effectively mitigate risk and protect UQ’s information assets against increasingly aggressive and sophisticated cyber threats while continually adapting to the rapidly evolving needs of the University.

Principles

Cyber Security is everyone’s business
As technical solutions for cyber security have improved, attackers have increasingly targeted users to gain unauthorised access to an organisation’s sensitive data assets. In striving to find the easiest or fastest way to perform a task, users may also bypass an organisations security controls. Hence users, and the processes they use to perform their work are a key aspect of cyber security. A holistic approach is required, taking into account environment, systems, people, and processes.

Continuous improvement of cyber security management
Regular review of the effectiveness of every element of the information security management programme together with learning from security incidents is necessary to create a mature and effective practice.

Optimised management of cyber security risk
An approach is needed that applies a dynamic mix of security controls to achieve the maximum benefit to UQ.

Balancing cyber security with usability
Information security mechanisms should impose as little burden to users as possible to achieve the required level of protection.

Cyber security as enabling innovation
Information security should be viewed as an enabler, allowing the University to benefit from the rapid development of information technology without exposing itself to unacceptable risk.

Cyber security must be adaptable and agile
Cyber security must keep pace with change in many dimensions including the University’s business, Information Technology, Security Technology and approach, and the evolving threat landscape.

Cyber security solutions should be as simple as possible
Cyber security controls should work in concert with each other and the underlying information systems and processes to achieve the greatest risk reduction for the least increase in complexity.

Building security from the ground up
Cyber security needs to be addressed as a fundamental requirement in the design, development and selection of information systems and processes, and throughout their life cycle.

Top of page

2. Challenges

The Cyber Security Strategy is designed to address the following key challenges:

Manage complexity
Manage a complex range of ICT systems and offer a diverse range of services in an academic environment that values openness, flexibility and usability.

Support innovation
Support a high rate of information technology innovation in service of a premium student experience and academic endeavours in an increasingly globally competitive environment.

Support agility
Support agile business and ICT services, providing simple but secure solutions.

Manage vulnerabilities
Manage large numbers of constantly emerging security vulnerabilities across a broad spectrum of issues impacting multiple systems and platforms.

Constant security threats
Managing an aggressive and constantly changing threat environment. Attackers that seek to exploit vulnerabilities to compromise systems, user credentials, steal intellectual property, undermine the integrity of student grades, qualifications or academic research, financial fraud or to otherwise harm the business and reputation of the University.

Performance assessment
Assess performance, provide assurance and improve decision making relating to cyber security risks through metrics, benchmarking and reporting.

Top of page

3. Key strategy and objectives

Strategy 1

A risk-based approach will be used, driven by the University’s business requirements, aligning cyber security risk with business risk to facilitate appropriate ownership by UQ’s governing individuals.

The objectives for this strategy are:

  • A register of UQ’s information assets will be created and maintained to understand protection requirements from the perspective of the teaching, research and support elements of UQ.
  • A register of cyber security risks faced by UQ will be created and used as the basis for optimised investment in controls and reporting of cyber risk to UQ governing bodies.
  • Cyber security risks will be regularly reviewed to inform the development and evolution of security controls, providing ongoing resilience to cyber threats.

Strategy 2

Cyber security governance informed by best-practice frameworks, and leveraging UQ and IT governance, will be used to ensure cyber security risk is addressed broadly and effectively across UQ.

The objectives for this strategy are:

  • The UQ ITC Security policy will be rewritten to provide a strong basis for cyber security governance.
  • An overarching framework for cyber security will be developed with associated standards and procedures.
  • A cyber security management program will be established to implement regular activities required by the framework.
  • Relevant UQ procedures and standards will be reviewed and updated to ensure cyber security requirements are satisfied.

Strategy 3

Architectural methods will be used to achieve an effective, well-balanced blend of technical and procedural controls.

The objectives for this strategy are:

  • A cyber security architecture will be developed and implemented to provide cohesion between technical controls for greater overall effectiveness.
  • Security will be incorporated into architectural design processes as a fundamental concern.

Strategy 4

A culture conducive to cyber security will be fostered at UQ to strengthen other security initiatives.

The objectives for this strategy are:

  • A comprehensive security awareness program will be implemented to increase knowledge and promote the importance of cyber security.

Strategy 5

Collaboration will be used to improve the University’s security capability while contributing to broader initiatives to reduce the impact of cyber threats.

The objectives for this strategy are:

  • Strong collaborative relationships will be developed with information security service providers and peers in other universities to augment and strengthen internal information security capabilities and contribute to broader initiatives to improve information security.

Strategy 6

The information security service capabilities of AusCERT will be leveraged to provide exceptional operational security to the University.

Top of page

4. Success measures

The following changes in security metrics will be used to track the success of cyber security initiatives:

  • reduced residual information security risk to UQ
  • increased risk mitigation due to implemented security controls
  • increased level of maturity against best practise frameworks
  • reduction in the average resolution time for security incidents
  • increased proportion of users that have completed security training and respond appropriately to malicious emails
  • increased proportion of hosts where security OS and application patches are up-to-date.
Top of page

5. Information security management

Information security is about ensuring that stakeholders have confidence and trust in the University's ability to manage and protect the information it collects and holds. This includes:

  • academic records
  • curriculum information
  • student credit card details
  • research and development output
  • university financials.

Loss of this confidence and trust will have a major impact on the University's operations.

The Queensland Government has defined the standard requirements applicable to all governmental and semi-governmental entities for securing organisational information. This is contained in Queensland Government Information Standard 18: Information Security (IS18).

UQ is required to comply with the principles contained in IS18 for effective information security management.

Top of page