University A: Privacy and Security Procedures for Compliance Report
VerifiedAdded on 2022/10/17
|13
|2774
|15
Report
AI Summary
This report focuses on University A's implementation of a new Student Management System (SMS) and the associated privacy and security procedures for compliance. It outlines the relevant laws and regulations that University A must adhere to, including the IT security policy, external provider laws, and cloud and managed services guidelines. The report details the university's obligations, emphasizing the importance of compliance to protect data and maintain system security. It covers various aspects such as application classification, software application selection, maintenance, patch management, and review. The document also highlights the significance of risk management plans, consultation, and approval processes. The analysis underscores the importance of these procedures in ensuring the security of the information system, preventing data breaches, and maintaining the integrity of university operations. The report aims to provide a comprehensive overview of the measures required for University A to ensure a secure and compliant SMS implementation.
PRIVACY AND SECURITY PROCEDURES FOR COMPLIANCE
{STUDENT NAME}
{PROFESSOR’S NAME}
{DATE}
{STUDENT NAME}
{PROFESSOR’S NAME}
{DATE}
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Table of Contents
Introduction..................................................................................................................................................3
Law and Regulations for compliance by University A.................................................................................3
Section 4 of the IT security policy............................................................................................................3
External providers law..............................................................................................................................3
Cloud and Managed Services...................................................................................................................4
Cloud Managed Services Risk Management Plan....................................................................................4
Consultation.............................................................................................................................................5
Approvals.................................................................................................................................................5
Cloud and Managed Services Register.....................................................................................................6
Application Classification........................................................................................................................6
Software Application Selection................................................................................................................6
Software Application Maintenance..........................................................................................................7
Patch Management and Security Updates.................................................................................................7
Software Application Review...................................................................................................................8
Software Application Retirement.............................................................................................................8
Obligations of University A Under the Laws...............................................................................................9
Importance of the Obligation.....................................................................................................................10
Laws, Regulations and procedures Compliance.........................................................................................12
Other Areas to be Considered.....................................................................................................................12
Conclusion.................................................................................................................................................13
Reference...................................................................................................................................................13
Introduction..................................................................................................................................................3
Law and Regulations for compliance by University A.................................................................................3
Section 4 of the IT security policy............................................................................................................3
External providers law..............................................................................................................................3
Cloud and Managed Services...................................................................................................................4
Cloud Managed Services Risk Management Plan....................................................................................4
Consultation.............................................................................................................................................5
Approvals.................................................................................................................................................5
Cloud and Managed Services Register.....................................................................................................6
Application Classification........................................................................................................................6
Software Application Selection................................................................................................................6
Software Application Maintenance..........................................................................................................7
Patch Management and Security Updates.................................................................................................7
Software Application Review...................................................................................................................8
Software Application Retirement.............................................................................................................8
Obligations of University A Under the Laws...............................................................................................9
Importance of the Obligation.....................................................................................................................10
Laws, Regulations and procedures Compliance.........................................................................................12
Other Areas to be Considered.....................................................................................................................12
Conclusion.................................................................................................................................................13
Reference...................................................................................................................................................13
Introduction
The report is about University A which is located in the New South Wales in Australia.
The university is aimed at implementation of the new student management system which will
be used in the management of the operation of learning in the university since it normally does
recruitment of 45% international student and 55% domestic students. There are laws,
regulation and procedures which are set out for compliance by the university. These laws and
regulations has to be complied for the implementation of the SMS to be smooth since the
university is aim at creating maximum revenue collection which will come as a result of
complying with the laws and regulations set out.
Law and Regulations for compliance by University A
The university has to comply with the below regulations set from ("Home / Victoria
University Policy Library", 2019)
Section 4 of the IT security policy
(23) “All community members who wish to use Victoria University multi-user computer
systems must sign a compliance statement prior to being issued a staff or user ID. For staff this is
part of their employment conditions. For students this is part of their enrolment form.”
External providers law
(24) “The responsibility for the security of equipment deployed by external service
providers must be clarified in the contract with the service provider and include documentation of
security contacts and escalation procedures.”
(25) “All outsourcing contracts between external providers and Victoria University for
services and equipment must comply with the Contracts Policy and Procedures and will include
reference to IT Security policies and procedures.”
The report is about University A which is located in the New South Wales in Australia.
The university is aimed at implementation of the new student management system which will
be used in the management of the operation of learning in the university since it normally does
recruitment of 45% international student and 55% domestic students. There are laws,
regulation and procedures which are set out for compliance by the university. These laws and
regulations has to be complied for the implementation of the SMS to be smooth since the
university is aim at creating maximum revenue collection which will come as a result of
complying with the laws and regulations set out.
Law and Regulations for compliance by University A
The university has to comply with the below regulations set from ("Home / Victoria
University Policy Library", 2019)
Section 4 of the IT security policy
(23) “All community members who wish to use Victoria University multi-user computer
systems must sign a compliance statement prior to being issued a staff or user ID. For staff this is
part of their employment conditions. For students this is part of their enrolment form.”
External providers law
(24) “The responsibility for the security of equipment deployed by external service
providers must be clarified in the contract with the service provider and include documentation of
security contacts and escalation procedures.”
(25) “All outsourcing contracts between external providers and Victoria University for
services and equipment must comply with the Contracts Policy and Procedures and will include
reference to IT Security policies and procedures.”
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
(26) “Business Owners will monitor and review external provider services to ensure
appropriate security controls are implemented and maintained as specified in the outsourcing
contract.”
Cloud and Managed Services
(8) “The strategic decision is to use Clouding Computing or Managed Services as a
preferred model where there is a clear demonstration of cost savings and overall business value
for the University.”
(9) “There is a growing trend within the industry to obtain Information and
Communication Technology (ICT) systems and applications managed in the cloud due to the low
costs and simple access methods using the Internet.”
(10) “Without a defined framework the University can be exposed to the following risks:
a. Loss of University information;
b. Noncompliance to Federal and State based legislation;
c. Increased usage costs.”
(11) “VU Departments considering the use of cloud and managed services systems in lieu
of corporate IT systems must complete a full procurement process, including a full risk
assessment and consideration of options.”
Cloud Managed Services Risk Management Plan
(12) “Contracts with Cloud providers or IT managed service providers cannot be entered
without a risk based assessment being undertaken.”
appropriate security controls are implemented and maintained as specified in the outsourcing
contract.”
Cloud and Managed Services
(8) “The strategic decision is to use Clouding Computing or Managed Services as a
preferred model where there is a clear demonstration of cost savings and overall business value
for the University.”
(9) “There is a growing trend within the industry to obtain Information and
Communication Technology (ICT) systems and applications managed in the cloud due to the low
costs and simple access methods using the Internet.”
(10) “Without a defined framework the University can be exposed to the following risks:
a. Loss of University information;
b. Noncompliance to Federal and State based legislation;
c. Increased usage costs.”
(11) “VU Departments considering the use of cloud and managed services systems in lieu
of corporate IT systems must complete a full procurement process, including a full risk
assessment and consideration of options.”
Cloud Managed Services Risk Management Plan
(12) “Contracts with Cloud providers or IT managed service providers cannot be entered
without a risk based assessment being undertaken.”
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
(13) “All commercial and organisational risks need to be assessed, outlining any
compliance, contractual and reputational impacts to the University by developing a Cloud
Managed Services Risk Management Plan:
a. Cloud Managed Services Risk Management Plan
b. Cloud & Managed Services Risk Assessment Criteria”
(14) “Architectural design is to be included in the assessment process and approved by
ITS.”
(15)” ITS provide consultancy services to assist in the development of the "Cloud and
Managed Services" Risk Management Plan.”
Consultation
(16) “Consultation with the following areas in VU must be undertaken during the
assessment process:
a. IT Security and Assurance team (Information Technology Services)
b. Records Services team (Records and Archives Services)
c. Legal Services team for the provision of Legal advice (Legal Services)
d. Web Services team to ascertain the impact on usability standards for
services provided online (Web Services).”
Approvals
(17) “Initial approval by the business owner supported by a Deputy or Pro-Vice-
Chancellor.”
compliance, contractual and reputational impacts to the University by developing a Cloud
Managed Services Risk Management Plan:
a. Cloud Managed Services Risk Management Plan
b. Cloud & Managed Services Risk Assessment Criteria”
(14) “Architectural design is to be included in the assessment process and approved by
ITS.”
(15)” ITS provide consultancy services to assist in the development of the "Cloud and
Managed Services" Risk Management Plan.”
Consultation
(16) “Consultation with the following areas in VU must be undertaken during the
assessment process:
a. IT Security and Assurance team (Information Technology Services)
b. Records Services team (Records and Archives Services)
c. Legal Services team for the provision of Legal advice (Legal Services)
d. Web Services team to ascertain the impact on usability standards for
services provided online (Web Services).”
Approvals
(17) “Initial approval by the business owner supported by a Deputy or Pro-Vice-
Chancellor.”
(18) “Final approval by the Pro-Vice Chancellor and CIO /Direct reports required before
contracts can be signed.”
Cloud and Managed Services Register
(19) “Cloud and managed services register to be updated.”
Application Classification
(5) “The ITS department will maintain a register of Software Applications with
appropriate classifications according to the degree of importance to University operations. This
classification will influence the amount of resources applied to maintain the Software
Application.”
(7) “A Software Application may still be allocated to Tier 1 - Mission Critical if it does
not meet the criteria. Justifications include value to the University, strategic importance,
reputational risks and external compliance.”
Software Application Selection
(8) “Any new Software Application must meet certain requirements.
a. Functional and technical requirements of the University.
b. A market comparison assessment must be undertaken to compare similar
products.
c. The application should not duplicate or have significant similarities with
existing systems used by the University.
contracts can be signed.”
Cloud and Managed Services Register
(19) “Cloud and managed services register to be updated.”
Application Classification
(5) “The ITS department will maintain a register of Software Applications with
appropriate classifications according to the degree of importance to University operations. This
classification will influence the amount of resources applied to maintain the Software
Application.”
(7) “A Software Application may still be allocated to Tier 1 - Mission Critical if it does
not meet the criteria. Justifications include value to the University, strategic importance,
reputational risks and external compliance.”
Software Application Selection
(8) “Any new Software Application must meet certain requirements.
a. Functional and technical requirements of the University.
b. A market comparison assessment must be undertaken to compare similar
products.
c. The application should not duplicate or have significant similarities with
existing systems used by the University.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
d. A detailed business case must be developed to ascertain the total cost of
ownership over 5 years including implementation costs.
e. Where a commercially developed solution is not available in the market
and business processes cannot be re-engineered, an internal software development
project will be established for funding prioritisation.
f. Where applicable, a commercially developed solution must be reviewed.
g. A review will be undertaken by Production Support before a final decision
is made.”
Software Application Maintenance
(9) “Any changes to the Software Application must be appropriately tested in a Test and
UAT environment and approved for deployment into production by adhering to the Change
Management Framework.”
(10) “The changes must take into consideration resource availability and the impact of the
change to University operations. Where possible, both changes to the Software Application and
underlying ICT infrastructure will be undertaken concurrently to minimize multiple outages.”
Patch Management and Security Updates
(11) “Software Application must be properly updated to reflect improvements and any
changes or updates supplied by the supplier. In certain circumstances the updates improve
performance and reduce system vulnerability.”
(12) “All security and patch updates released by the suppliers of infrastructure, database,
middleware and applications will require certification from the Software Application Supplier.
This is to ensure the patch or security update does not generate application issues.”
ownership over 5 years including implementation costs.
e. Where a commercially developed solution is not available in the market
and business processes cannot be re-engineered, an internal software development
project will be established for funding prioritisation.
f. Where applicable, a commercially developed solution must be reviewed.
g. A review will be undertaken by Production Support before a final decision
is made.”
Software Application Maintenance
(9) “Any changes to the Software Application must be appropriately tested in a Test and
UAT environment and approved for deployment into production by adhering to the Change
Management Framework.”
(10) “The changes must take into consideration resource availability and the impact of the
change to University operations. Where possible, both changes to the Software Application and
underlying ICT infrastructure will be undertaken concurrently to minimize multiple outages.”
Patch Management and Security Updates
(11) “Software Application must be properly updated to reflect improvements and any
changes or updates supplied by the supplier. In certain circumstances the updates improve
performance and reduce system vulnerability.”
(12) “All security and patch updates released by the suppliers of infrastructure, database,
middleware and applications will require certification from the Software Application Supplier.
This is to ensure the patch or security update does not generate application issues.”
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
(13) “If the University detects a security threat from a proposed patch, a decision will be
made with the Business Owner and ITS. The decision will take into consideration of business
impact and the risks to the organization. The supplier maintenance support contract is void until
the patch is certified by the supplier.”
Software Application Review
(14) “All Software Applications should be reviewed at least once every 5 years to ensure
the Software Application:
a. Continues to support all the internal and external compliance requirements.
b. Continues to meet the needs of the affected areas of the University.
c. Continues to be cost effective for the University and does not present any
risks that may impact operations.”
(15) “Software Application deemed unsuitable will undergo a Software Application
assessment before a new product is purchased.”
Software Application Retirement
(16) “A Software Application no longer in use should be archived and removed from the
University environment.”
(17) “A Software Application that is approaching "end of life" will need to be retired with
a transition plan to either develop or select a new Software Application.”
made with the Business Owner and ITS. The decision will take into consideration of business
impact and the risks to the organization. The supplier maintenance support contract is void until
the patch is certified by the supplier.”
Software Application Review
(14) “All Software Applications should be reviewed at least once every 5 years to ensure
the Software Application:
a. Continues to support all the internal and external compliance requirements.
b. Continues to meet the needs of the affected areas of the University.
c. Continues to be cost effective for the University and does not present any
risks that may impact operations.”
(15) “Software Application deemed unsuitable will undergo a Software Application
assessment before a new product is purchased.”
Software Application Retirement
(16) “A Software Application no longer in use should be archived and removed from the
University environment.”
(17) “A Software Application that is approaching "end of life" will need to be retired with
a transition plan to either develop or select a new Software Application.”
Obligations of University A Under the Laws
For Section 4 of the IT security policy sub section 23, the university has to make sure that
the employees and the student signs the compliance forms before they are issues with the User ID
to access the system.
External providers service law sub section 24, university has to ensure that the security of
the equipment which has been given by the external providers has been clearly written in the
contract. Sub section 25, the university to ensure that the contracts with the external providers are
in line with the contracts policy and procedures. Sub section 26, the university has to ensure that
they monitor the services which are being offered by the service providers and the security
controls of the services are implemented the way it is stated in the contract.
In cloud and managed services sub section 8, the university has to make sure that the
cloud computing which has been put in place is cost effective as well as improving the
transactions of the university. Sub section 9, the university to follow the trend of making use of
the cloud based system as they are cost saving and effective. Sub section 10, the university has to
create a clear framework to ensure that the system security is well maintained and there is no risk
of losing the information of the university through cyber-crime and hacking. This can be made
possible by making sure that the university complies to the Federal and State based legislation.
Sub section 11, the university has to ensure that the procurement procedures have been fully
followed and complied with inclusion of the risk assessment.
In the risk management plan for the cloud services sub section 12, the university is not
supposed to enter into contract with cloud based providers with no risk plans undertaken. Sub
section 13, any risk has to be assessed by the university with consideration of the impact and the
compliance to the university. Sub section 14, the university to ensure that the architectural design
For Section 4 of the IT security policy sub section 23, the university has to make sure that
the employees and the student signs the compliance forms before they are issues with the User ID
to access the system.
External providers service law sub section 24, university has to ensure that the security of
the equipment which has been given by the external providers has been clearly written in the
contract. Sub section 25, the university to ensure that the contracts with the external providers are
in line with the contracts policy and procedures. Sub section 26, the university has to ensure that
they monitor the services which are being offered by the service providers and the security
controls of the services are implemented the way it is stated in the contract.
In cloud and managed services sub section 8, the university has to make sure that the
cloud computing which has been put in place is cost effective as well as improving the
transactions of the university. Sub section 9, the university to follow the trend of making use of
the cloud based system as they are cost saving and effective. Sub section 10, the university has to
create a clear framework to ensure that the system security is well maintained and there is no risk
of losing the information of the university through cyber-crime and hacking. This can be made
possible by making sure that the university complies to the Federal and State based legislation.
Sub section 11, the university has to ensure that the procurement procedures have been fully
followed and complied with inclusion of the risk assessment.
In the risk management plan for the cloud services sub section 12, the university is not
supposed to enter into contract with cloud based providers with no risk plans undertaken. Sub
section 13, any risk has to be assessed by the university with consideration of the impact and the
compliance to the university. Sub section 14, the university to ensure that the architectural design
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
is included in the process of assessment and it is also approved by the Information Technology
departments.
For consultation, sub section 16, the university has to consult with various departments as
stated in the regulation section. The university to ensure that approvals have to be made by the
university supported by the vice-chancellor who will also approve final contract as outlined in the
approval section, sub section 17 and 18.
In application classification sub section5 and 7, the university has to ensure that every
software has been documented in the register in accordance with the importance degree.
In software selection sub section 8, the university has to make sure that the new software
procured meet laid down minimum requirements. All change to the software has to be tested and
approved as stated in sub section 9 as also the impact of the change to the operation of the
university as stated in sub section 10.
Importance of the Obligation
Allowing employees and students to sign the statement form of compliance will ensure
security of the information system as only authorized individuals will have access to the system.
If this is not done, then unauthorized people will have access to the system using that gap hence
compromising with the university information and data.
Ensuring that the contract contain the security of the equipment will enable the university
to be in a position to maintain the equipment procured by the university. If this is breached, then
most of the equipment will fail to operate with no option or chance of being repaired.
departments.
For consultation, sub section 16, the university has to consult with various departments as
stated in the regulation section. The university to ensure that approvals have to be made by the
university supported by the vice-chancellor who will also approve final contract as outlined in the
approval section, sub section 17 and 18.
In application classification sub section5 and 7, the university has to ensure that every
software has been documented in the register in accordance with the importance degree.
In software selection sub section 8, the university has to make sure that the new software
procured meet laid down minimum requirements. All change to the software has to be tested and
approved as stated in sub section 9 as also the impact of the change to the operation of the
university as stated in sub section 10.
Importance of the Obligation
Allowing employees and students to sign the statement form of compliance will ensure
security of the information system as only authorized individuals will have access to the system.
If this is not done, then unauthorized people will have access to the system using that gap hence
compromising with the university information and data.
Ensuring that the contract contain the security of the equipment will enable the university
to be in a position to maintain the equipment procured by the university. If this is breached, then
most of the equipment will fail to operate with no option or chance of being repaired.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Monitoring services offered by the service provider will ensure that proper and exact
service outlined in the contract has been offered as agreed. If breached, then the services might be
under offered with no chance of raising complain or demanding for contract based services.
Cost effective cloud computing storage and services enables the university to have
maximum revenue collection. If this is breached, then the cloud computing storage will be very
much expensive to run and maintain hence costing the university a lot.
Maintaining the security system will help the university from losing information with are
confidential and important. Breaching this regulation will attract hackers hence creating a
possibility of losing confidential information of the university and the students at large.
Undertaking risk plan helps the university to plan for the future and how to manage the
possible risks which comes with the implementation. Breaching this law will create a failure in
the system as when the system fails, it will dearly cost the university as every operation will be
halted.
Approvals being approved by the pro vice-chancellor is very important as it creates
awareness of which contract has been signed hence making it possible for monitoring of the
services. If this is breached, many contracts will be signed without the consent of the vice-
chancellor which will be overestimated hence costing the university.
service outlined in the contract has been offered as agreed. If breached, then the services might be
under offered with no chance of raising complain or demanding for contract based services.
Cost effective cloud computing storage and services enables the university to have
maximum revenue collection. If this is breached, then the cloud computing storage will be very
much expensive to run and maintain hence costing the university a lot.
Maintaining the security system will help the university from losing information with are
confidential and important. Breaching this regulation will attract hackers hence creating a
possibility of losing confidential information of the university and the students at large.
Undertaking risk plan helps the university to plan for the future and how to manage the
possible risks which comes with the implementation. Breaching this law will create a failure in
the system as when the system fails, it will dearly cost the university as every operation will be
halted.
Approvals being approved by the pro vice-chancellor is very important as it creates
awareness of which contract has been signed hence making it possible for monitoring of the
services. If this is breached, many contracts will be signed without the consent of the vice-
chancellor which will be overestimated hence costing the university.
Laws, Regulations and procedures Compliance
In order to demonstrate compliance of the above stated laws and regulation as well as
procedures, then the university has to make sure that it follows the laws stated above with utmost
strictness. This includes the following;
a. All contracts to undergo correct procurement procedures as outlined in the
laws.
b. All the softwares to be upgraded and maintained after every 5 years as the
law states.
c. No access of the system until the compliance statement is duly filled.
d. Ensuring that the software services to be procured is cost effective to the
university.
e. Ensure the security of the system is given the highest priority and is well
discussed and agreed in the contract.
f. Making sure that proper consultation has been done as stated in the laws
before incorporation into the university services.
g. The security of the system has to be maintained and incase of any change,
the software has to be tested as stated in the regulations and procedures.
h. Every software must have risk management plan duly discussed in the
contract.
Other Areas to be Considered
There are other relevant areas which have to be put into consideration though they are not
outlined in the laws, regulation and procedures. This includes the following;
In order to demonstrate compliance of the above stated laws and regulation as well as
procedures, then the university has to make sure that it follows the laws stated above with utmost
strictness. This includes the following;
a. All contracts to undergo correct procurement procedures as outlined in the
laws.
b. All the softwares to be upgraded and maintained after every 5 years as the
law states.
c. No access of the system until the compliance statement is duly filled.
d. Ensuring that the software services to be procured is cost effective to the
university.
e. Ensure the security of the system is given the highest priority and is well
discussed and agreed in the contract.
f. Making sure that proper consultation has been done as stated in the laws
before incorporation into the university services.
g. The security of the system has to be maintained and incase of any change,
the software has to be tested as stated in the regulations and procedures.
h. Every software must have risk management plan duly discussed in the
contract.
Other Areas to be Considered
There are other relevant areas which have to be put into consideration though they are not
outlined in the laws, regulation and procedures. This includes the following;
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 13
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.