ISY3006: Developing an Information Security Policy for ACU Report
VerifiedAdded on 2022/10/01
|12
|2628
|23
Report
AI Summary
This report, prepared for Australian Catholic University (ACU), delves into the crucial aspects of information security. It begins with an introduction that outlines the report's structure and the increasing risks associated with technology use. The report then examines ACU's IT security policy, detailing the roles and responsibilities of various stakeholders, training programs, and measures to limit unauthorized access. Key vulnerabilities like weak passwords and inappropriate email usage are highlighted, along with mitigation strategies. The discussion section analyzes ACU's nature and stakeholders, followed by the development of a strategic security policy, including its purpose, applicability, objectives, framework, and requirements such as access control, acceptable use, data handling, and email security. The report also addresses risks, threats, and mitigation strategies, focusing on vulnerabilities like weak passwords, missing authorization, and inappropriate email use, providing actionable solutions to enhance ACU's information security posture.
Information Security
ISY3006
10/3/2019
System04113
ISY3006
10/3/2019
System04113
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
ISY3006 1
Executive Summary
As the use of technology by organizations is getting an increase, similarly risk associated
with the relevant information also spreading its roots. In the report, an introduction has been
provided where the route map of the report has been discussed. The report has been prepared
for Australian catholic university. Further, the IT security policy of the company has been
discussed. Defining the roles and responsibilities of different parties, providing training to
system users, limiting unauthorized access and remote access are few of the major points
covered by this policy. Further weak passwords, unauthorized access, inappropriate use of
email are some of the vulnerabilities that can be mitigated by taking measures adopted an
underdeveloped and documented policy.
Executive Summary
As the use of technology by organizations is getting an increase, similarly risk associated
with the relevant information also spreading its roots. In the report, an introduction has been
provided where the route map of the report has been discussed. The report has been prepared
for Australian catholic university. Further, the IT security policy of the company has been
discussed. Defining the roles and responsibilities of different parties, providing training to
system users, limiting unauthorized access and remote access are few of the major points
covered by this policy. Further weak passwords, unauthorized access, inappropriate use of
email are some of the vulnerabilities that can be mitigated by taking measures adopted an
underdeveloped and documented policy.
ISY3006 2
Contents
Executive Summary...................................................................................................................1
Introduction................................................................................................................................2
Discussion..................................................................................................................................2
Nature and stakeholders.........................................................................................................2
Development of strategic security policy for ACU................................................................3
Risk, threats, and mitigation...................................................................................................7
Conclusion..................................................................................................................................8
References................................................................................................................................10
Contents
Executive Summary...................................................................................................................1
Introduction................................................................................................................................2
Discussion..................................................................................................................................2
Nature and stakeholders.........................................................................................................2
Development of strategic security policy for ACU................................................................3
Risk, threats, and mitigation...................................................................................................7
Conclusion..................................................................................................................................8
References................................................................................................................................10
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
ISY3006 3
Introduction
IT systems always expose to uncertain risks that are extremely necessary to identify and
mitigate to secure the information that such a system consists of. When an organization
adopts the use of information technology, different kinds of risk are presented there which
includes general IT threats, criminal IT threats, and risk of natural disasters
(Business.qld.gov.au, 2019). The information security policy of the organization plays an
important role here. This policy refers to a set of rules, which ensure that all the networks,
and data of its structure is secure from unauthorized access and use and are in the
organization's authority (Rouse, 2019). Many of the cases related to data breach used to
report in media that increases the significance of IT security policy. The purpose of the report
is to develop an understanding of IT threats and policy of an organization.
In the presented report, the discussion will lead to a brief introduction to the selected
organization. Further, a strategic policy of the organization will be presented after providing
basic research and formulation of the same. Lastly, the risk and vulnerabilities of the
organizational network and the manner in which the same can be resolved would also be
discussed.
Discussion
Nature and stakeholders
Australian catholic university (ACU) is engaged in providing meaningful education and life-
changing opportunities to students (Acu.edu.au, 2019). Since it is a university, the lead
stakeholders of the same are its church, staff, alumni, students, communities, and employers
that include government and nonprofit organizations. University also provides international
Introduction
IT systems always expose to uncertain risks that are extremely necessary to identify and
mitigate to secure the information that such a system consists of. When an organization
adopts the use of information technology, different kinds of risk are presented there which
includes general IT threats, criminal IT threats, and risk of natural disasters
(Business.qld.gov.au, 2019). The information security policy of the organization plays an
important role here. This policy refers to a set of rules, which ensure that all the networks,
and data of its structure is secure from unauthorized access and use and are in the
organization's authority (Rouse, 2019). Many of the cases related to data breach used to
report in media that increases the significance of IT security policy. The purpose of the report
is to develop an understanding of IT threats and policy of an organization.
In the presented report, the discussion will lead to a brief introduction to the selected
organization. Further, a strategic policy of the organization will be presented after providing
basic research and formulation of the same. Lastly, the risk and vulnerabilities of the
organizational network and the manner in which the same can be resolved would also be
discussed.
Discussion
Nature and stakeholders
Australian catholic university (ACU) is engaged in providing meaningful education and life-
changing opportunities to students (Acu.edu.au, 2019). Since it is a university, the lead
stakeholders of the same are its church, staff, alumni, students, communities, and employers
that include government and nonprofit organizations. University also provides international
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
ISY3006 4
core curriculum study options and therefore many of the international students are also
enrolled in it.
Development of strategic security policy for ACU
In the world full of stakeholder expectations and competition in the market, every other
organization is using IT in its practices before developing a security policy for the company;
first, it is required to know why the same is needed. This is to state that the university uses IT
for its internal as well as external uses. As discussed above, organizations have many
stakeholders and in this manner, while dealing with them, it uses IT. ACU has to keep the
records of students permanently, which is a huge data to keep. Further, all the salary and
other records of staff members is another kind of information, which ACU deals with. These
are very significant and sensitive type of data that is required to be safe as any insecurity or
breach of the same can generate issues with the career of a student. Increased number of
cybercrimes and techniques adopted by cybercriminals put a big question mark on the
security of collected data by ACU. Recently a data breach incident also reported in the media
where significant data of ACU has been accessed by attackers through emails (Saarinen,
2019). To prevent such incidents in the future, a security policy enables to prevent all
possible threats is required to be there.
To document a security policy for the company, first the same is required to be researched,
formulated and developed. To do so, firstly the risks involved in the IT system are required to
be researched. Such risk can be identified by monitoring and reporting tools. Further legal
requirements also need to take care especially when it comes to the handling of personal
information data of stakeholders. To develop the security policy for the company, various
aspects have kept in consideration such control and access level, responsibilities of users,
approval authority and so on. After the research of these aspects, an information security
core curriculum study options and therefore many of the international students are also
enrolled in it.
Development of strategic security policy for ACU
In the world full of stakeholder expectations and competition in the market, every other
organization is using IT in its practices before developing a security policy for the company;
first, it is required to know why the same is needed. This is to state that the university uses IT
for its internal as well as external uses. As discussed above, organizations have many
stakeholders and in this manner, while dealing with them, it uses IT. ACU has to keep the
records of students permanently, which is a huge data to keep. Further, all the salary and
other records of staff members is another kind of information, which ACU deals with. These
are very significant and sensitive type of data that is required to be safe as any insecurity or
breach of the same can generate issues with the career of a student. Increased number of
cybercrimes and techniques adopted by cybercriminals put a big question mark on the
security of collected data by ACU. Recently a data breach incident also reported in the media
where significant data of ACU has been accessed by attackers through emails (Saarinen,
2019). To prevent such incidents in the future, a security policy enables to prevent all
possible threats is required to be there.
To document a security policy for the company, first the same is required to be researched,
formulated and developed. To do so, firstly the risks involved in the IT system are required to
be researched. Such risk can be identified by monitoring and reporting tools. Further legal
requirements also need to take care especially when it comes to the handling of personal
information data of stakeholders. To develop the security policy for the company, various
aspects have kept in consideration such control and access level, responsibilities of users,
approval authority and so on. After the research of these aspects, an information security
ISY3006 5
policy for the company has been formulated and developed which is documented as
hereunder:-
Information Security Policy
1. Purpose:-This policy sets out the approach of ACU with respect to information
security management. This policy has developed to support the strategic vision of the
company. The policy stipulates the manner in which information security risk can be
minimized. The policy has developed considering the combination of people and
processes to mitigate information security risks.
2. Applicability: - The policy applies to every person who has access to information
technology or assets arranged by ACU. In this manner, it applies to all the internal as
well as external stakeholders. In addition to the scope of this policy is extended up to
assets and services provided by external service providers on behalf of ACU.
3. Objectives: - The lead objective of the policy is to facilitate a security-aware culture
and to ensure confidentiality and integrity to university's information. Further another
objective of the policy is to avoid breaches with contractual and legal obligations
related to information security.
4. Nature of policy:- Policy is mandatory in nature and compliance of the same is not
voluntary.
5. Framework: - This is the most significant head of this policy which decides the
framework for using information security by the university. The framework comprises
policies, standards, and procedures. The framework can be understood as a platform
where the security objectives of ACU are met. In this framework, the policy stipulates
the reason and requirement of the policy framework. Whereas on the other side,
standards highlight the answer to what is required under specific areas. Lastly,
procedures stipulate the manner in which standards can be implemented.
policy for the company has been formulated and developed which is documented as
hereunder:-
Information Security Policy
1. Purpose:-This policy sets out the approach of ACU with respect to information
security management. This policy has developed to support the strategic vision of the
company. The policy stipulates the manner in which information security risk can be
minimized. The policy has developed considering the combination of people and
processes to mitigate information security risks.
2. Applicability: - The policy applies to every person who has access to information
technology or assets arranged by ACU. In this manner, it applies to all the internal as
well as external stakeholders. In addition to the scope of this policy is extended up to
assets and services provided by external service providers on behalf of ACU.
3. Objectives: - The lead objective of the policy is to facilitate a security-aware culture
and to ensure confidentiality and integrity to university's information. Further another
objective of the policy is to avoid breaches with contractual and legal obligations
related to information security.
4. Nature of policy:- Policy is mandatory in nature and compliance of the same is not
voluntary.
5. Framework: - This is the most significant head of this policy which decides the
framework for using information security by the university. The framework comprises
policies, standards, and procedures. The framework can be understood as a platform
where the security objectives of ACU are met. In this framework, the policy stipulates
the reason and requirement of the policy framework. Whereas on the other side,
standards highlight the answer to what is required under specific areas. Lastly,
procedures stipulate the manner in which standards can be implemented.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
ISY3006 6
6. Roles and responsibilities
All the users of the information system of ACU have a responsibility to use the
same in an appropriate manner and for the allowed purpose.
No stakeholder or ACU personnel is allowed to use the information system for
unethical purposes. They have no liberty to use the same for personnel purposes.
Every person to whom this policy is applicable has a responsibility to avoid
conflict of interest and to conduct the activities according to this policy.
The head of the college is liable for ensuring the presence of adequate control
measures. In addition to this, the information security team of the ACU has
liability to update the systems regularly so that there is no threat to the system of
the university.
The head of the governance committee is liable to ensure compliance with this
policy. Further, the same has the responsibility to take necessary actions such as
the imposition of penalties and others against the liable party. In this manner, the
governance committee head plays the role of a compliance officer for the purpose
of this policy.
University has the liability to develop and ensure best practices for information
security in the organization.
7. Requirements: - The policy includes the following areas and provides rules regarding
the same.
Access control: - An access shall be considered as allowed if the same is being
used without using any unfair means and are related to the ordinary authority of a
person. For instance, data related to staff, shall not be accessible by students.
6. Roles and responsibilities
All the users of the information system of ACU have a responsibility to use the
same in an appropriate manner and for the allowed purpose.
No stakeholder or ACU personnel is allowed to use the information system for
unethical purposes. They have no liberty to use the same for personnel purposes.
Every person to whom this policy is applicable has a responsibility to avoid
conflict of interest and to conduct the activities according to this policy.
The head of the college is liable for ensuring the presence of adequate control
measures. In addition to this, the information security team of the ACU has
liability to update the systems regularly so that there is no threat to the system of
the university.
The head of the governance committee is liable to ensure compliance with this
policy. Further, the same has the responsibility to take necessary actions such as
the imposition of penalties and others against the liable party. In this manner, the
governance committee head plays the role of a compliance officer for the purpose
of this policy.
University has the liability to develop and ensure best practices for information
security in the organization.
7. Requirements: - The policy includes the following areas and provides rules regarding
the same.
Access control: - An access shall be considered as allowed if the same is being
used without using any unfair means and are related to the ordinary authority of a
person. For instance, data related to staff, shall not be accessible by students.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
ISY3006 7
Acceptable use: - For the purpose of this policy, the use of information systems is
considered as acceptable use if users use the system as per allowed use.
Data Handling: - The information technology team of the university shall handle
all the data related to internal as well as external stakeholders. Here data handing
refers to the receipt, capturing, creation, storage, and process of data.
E-mail:- E-mails are the main source of a data breach. University demotivates all
the practices of the use of malware or phishing. No sensitive data related to
students or staff members such as their personal information, contact details or
details related to their health status can be sent through E-mails. Lecturers are not
allowed to send results of students through E-mail.
Mobile computing: - Staff members and students bring their devices for working
which are not in direct control of the university. The risk that such devices can be
imposed must be reviewed and appropriate control must be placed for the
prevention of these risks.
Remote access: - University provides login credentials to students that they can
use from anywhere. These accounts are eligible for remote access and use the
data from the network of the university. In this manner, there is always a risk to
the ACU network from such unauthorized access. A remote access policy is there
that provides the way to deal with such remote access and must be kept in
consideration by users as well as the IT team of the organization.
8. Training: - All the users of the information technology system, especially internal
users shall be provided training to use the same efficiently and appropriately to make
them enable to identify any potential risk.
Acceptable use: - For the purpose of this policy, the use of information systems is
considered as acceptable use if users use the system as per allowed use.
Data Handling: - The information technology team of the university shall handle
all the data related to internal as well as external stakeholders. Here data handing
refers to the receipt, capturing, creation, storage, and process of data.
E-mail:- E-mails are the main source of a data breach. University demotivates all
the practices of the use of malware or phishing. No sensitive data related to
students or staff members such as their personal information, contact details or
details related to their health status can be sent through E-mails. Lecturers are not
allowed to send results of students through E-mail.
Mobile computing: - Staff members and students bring their devices for working
which are not in direct control of the university. The risk that such devices can be
imposed must be reviewed and appropriate control must be placed for the
prevention of these risks.
Remote access: - University provides login credentials to students that they can
use from anywhere. These accounts are eligible for remote access and use the
data from the network of the university. In this manner, there is always a risk to
the ACU network from such unauthorized access. A remote access policy is there
that provides the way to deal with such remote access and must be kept in
consideration by users as well as the IT team of the organization.
8. Training: - All the users of the information technology system, especially internal
users shall be provided training to use the same efficiently and appropriately to make
them enable to identify any potential risk.
ISY3006 8
9. Exceptions: - In some of the situations, due to the nature and demand of the situation,
compliance with this policy may not be possible. In such circumstances may be
requested through the exception request procedure.
10. Penalties and persecutions: - Any person who finds to be in breach of this policy can
be held liable with the penalties as decided by the governance committee of the
university.
11. Others: - Any queries or non-compliance related to this policy can be asked and
addressed to the following contact details:-
Email- askacu@acu.edu.au Call 1300 275 228
Risk, threats, and mitigation
Different threats and vulnerabilities are there that, a network of the university can be exposed
to vulnerabilities can be understood as a weak spot in the network that can be exploited by a
security threat. Whereas on the different side, the risk is the result of those vulnerabilities
which remain unaddressed (Techsoupforlibraries.org, 2019). The lead vulnerability for ACU
is weak passwords. Easy passwords are easily approachable; nevertheless, since many users
use on the same networks hence critical passwords cannot be used. Further, students have
their student login Ids where they use easy passwords many times but such accounts are
somewhere connected to the internal network of the university. In this manner, a weak
password is one of the greatest vulnerabilities that further leads to the risk of a data breach.
This vulnerability and threat can be mitigated through the security policy documented above.
As mentioned above, the IT team is required to be developed hence in this scenario; the same
will be responsible to review timely updations in the system regularly. Not only official
accounts but also students of the account can also be reviewed and controlled.
9. Exceptions: - In some of the situations, due to the nature and demand of the situation,
compliance with this policy may not be possible. In such circumstances may be
requested through the exception request procedure.
10. Penalties and persecutions: - Any person who finds to be in breach of this policy can
be held liable with the penalties as decided by the governance committee of the
university.
11. Others: - Any queries or non-compliance related to this policy can be asked and
addressed to the following contact details:-
Email- askacu@acu.edu.au Call 1300 275 228
Risk, threats, and mitigation
Different threats and vulnerabilities are there that, a network of the university can be exposed
to vulnerabilities can be understood as a weak spot in the network that can be exploited by a
security threat. Whereas on the different side, the risk is the result of those vulnerabilities
which remain unaddressed (Techsoupforlibraries.org, 2019). The lead vulnerability for ACU
is weak passwords. Easy passwords are easily approachable; nevertheless, since many users
use on the same networks hence critical passwords cannot be used. Further, students have
their student login Ids where they use easy passwords many times but such accounts are
somewhere connected to the internal network of the university. In this manner, a weak
password is one of the greatest vulnerabilities that further leads to the risk of a data breach.
This vulnerability and threat can be mitigated through the security policy documented above.
As mentioned above, the IT team is required to be developed hence in this scenario; the same
will be responsible to review timely updations in the system regularly. Not only official
accounts but also students of the account can also be reviewed and controlled.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
ISY3006 9
Another vulnerability is missing authorization. Again, this can pose a risk to the official data
of the university. Different users of information systems are there and in this manner, it
seems difficult to manage different access points to them. This vulnerability can lead
significant threat to data if any authorization is missing. As discussed above, any
unauthorized use of data shall be considered as a breach of the IT policy of the company and
can be prevented through considering points of remote access and mobile computing
mentioned in the given policy. University can restrict the access of accounts from personal
devices and in this manner can ensure the authorized use of data.
Recently a case of a data breach has been reported where several staff e-mail accounts have
been accessed in an unauthorized way. A phishing technique has been used in this data
breach (Pearce, 2019). In this manner, it is not wrong to state that the inappropriate use of
email is another vulnerability. Phishing is an activity whereby sending a fraudulent email, the
attacker seeks personal information from recipients (Phishing.org, 2019). The policy
documented above is eligible to mitigate this risk too. As discussed in point 9 of the
subjective policy, this risk can be mitigated by providing training to users. When users of
email would know inappropriate emails and techniques such as phishing, they shall be able to
understand the risk associated with the same and shall not support the same. In this manner,
this is to state that the policy developed hereby can address all the leading vulnerabilities and
risks of ACU's networks.
Conclusion
Conclusively to state that the information system of every organization is required to be safe
as well as secure from different risks. In the presented report, a security policy for ACU has
been developed where different aspects such as purpose, scope, and objectives of the same
have been discussed in addition to different ways using which risk to IT network can be
Another vulnerability is missing authorization. Again, this can pose a risk to the official data
of the university. Different users of information systems are there and in this manner, it
seems difficult to manage different access points to them. This vulnerability can lead
significant threat to data if any authorization is missing. As discussed above, any
unauthorized use of data shall be considered as a breach of the IT policy of the company and
can be prevented through considering points of remote access and mobile computing
mentioned in the given policy. University can restrict the access of accounts from personal
devices and in this manner can ensure the authorized use of data.
Recently a case of a data breach has been reported where several staff e-mail accounts have
been accessed in an unauthorized way. A phishing technique has been used in this data
breach (Pearce, 2019). In this manner, it is not wrong to state that the inappropriate use of
email is another vulnerability. Phishing is an activity whereby sending a fraudulent email, the
attacker seeks personal information from recipients (Phishing.org, 2019). The policy
documented above is eligible to mitigate this risk too. As discussed in point 9 of the
subjective policy, this risk can be mitigated by providing training to users. When users of
email would know inappropriate emails and techniques such as phishing, they shall be able to
understand the risk associated with the same and shall not support the same. In this manner,
this is to state that the policy developed hereby can address all the leading vulnerabilities and
risks of ACU's networks.
Conclusion
Conclusively to state that the information system of every organization is required to be safe
as well as secure from different risks. In the presented report, a security policy for ACU has
been developed where different aspects such as purpose, scope, and objectives of the same
have been discussed in addition to different ways using which risk to IT network can be
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
ISY3006 10
mitigated. In the second part of the report, potential vulnerabilities and risks to a network of
ACU have been discussed and the ways in that developed policy can help. ACU can have a
secure network by considering some aspects highlight in the policy and by complying with
the same.
mitigated. In the second part of the report, potential vulnerabilities and risks to a network of
ACU have been discussed and the ways in that developed policy can help. ACU can have a
secure network by considering some aspects highlight in the policy and by complying with
the same.
ISY3006 11
References
Acu.edu.au. (2019) About ACU. [online] Available from: https://www.acu.edu.au/about-acu
[Accessed on 03/10/2019]
Business.qld.gov.au. (2019) What is information technology risk? [online] Available from:
https://www.business.qld.gov.au/running-business/protecting-business/risk-management/it-
risk-management/defined [Accessed on 03/10/2019]
Pearce, R. (2019) Phishers hit ACU, compromised systems. [online] Available from:
https://www.computerworld.com.au/article/662989/phishers-hit-acu-compromised-systems/
[Accessed on 03/10/2019]
Phishing.org. (2019) What Is Phishing? [online] Available from:
https://www.phishing.org/what-is-phishing [Accessed on 03/10/2019]
Rouse, M., (2019) Security Policy. [online] Available from:
https://searchsecurity.techtarget.com/definition/security-policy [Accessed on 03/10/2019]
Saarinen, J. (2019) Australian Catholic University breach nets staff details. [online]
Available from: https://www.itnews.com.au/news/australian-catholic-university-breach-nets-
staff-details-526849 [Accessed on 03/10/2019]
Techsoupforlibraries.org. (2019) Identifying Vulnerabilities and Risks on Your Network.
[online] Available from:
http://www.techsoupforlibraries.org/planning-for-success/networking-and-security/
identifying-vulnerabilities-and-risks-on-your-network [Accessed on 03/10/2019]
References
Acu.edu.au. (2019) About ACU. [online] Available from: https://www.acu.edu.au/about-acu
[Accessed on 03/10/2019]
Business.qld.gov.au. (2019) What is information technology risk? [online] Available from:
https://www.business.qld.gov.au/running-business/protecting-business/risk-management/it-
risk-management/defined [Accessed on 03/10/2019]
Pearce, R. (2019) Phishers hit ACU, compromised systems. [online] Available from:
https://www.computerworld.com.au/article/662989/phishers-hit-acu-compromised-systems/
[Accessed on 03/10/2019]
Phishing.org. (2019) What Is Phishing? [online] Available from:
https://www.phishing.org/what-is-phishing [Accessed on 03/10/2019]
Rouse, M., (2019) Security Policy. [online] Available from:
https://searchsecurity.techtarget.com/definition/security-policy [Accessed on 03/10/2019]
Saarinen, J. (2019) Australian Catholic University breach nets staff details. [online]
Available from: https://www.itnews.com.au/news/australian-catholic-university-breach-nets-
staff-details-526849 [Accessed on 03/10/2019]
Techsoupforlibraries.org. (2019) Identifying Vulnerabilities and Risks on Your Network.
[online] Available from:
http://www.techsoupforlibraries.org/planning-for-success/networking-and-security/
identifying-vulnerabilities-and-risks-on-your-network [Accessed on 03/10/2019]
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 12
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.