Privacy Policy

Information Security Policy

2.1 Policy statement

SR LAW has adopted an information security policy which addresses security issues related to the ownership, integrity and accessibility of information, and in particular, risks associated with the use of computers and networks for storing, transferring and processing information. The Company has a strong commitment to protecting its critical information assets against unauthorised access and use, theft, modification, destruction and unauthorised disclosure, and regards the protection of information assets as the common responsibility of all staff, students and third parties who conduct business with or have other involvement with SR LAW.

This policy is derived from obligations under the NSW Government's Information Standard No 18 - Information Security, which applies to statutory authorities such as SR LAW. This policy also reflects SR LAW's commitment to comply as far as practicable with other standards designed to enhance protection of information assets, such as Australian and industry standards. This policy also supports SR LAW's obligations to comply with security requirements for managing records and for protecting personal privacy.

1.2.2 Application

This policy applies to all operating units of SR LAW, and to all staff, students, and third parties such as contractors, consultants or visitors who utilise SR LAW's information resources or services. The policy is designed to protect all information assets of SR LAW, that is information related to SR LAW's business activities, whether processed by computers owned by or operated on behalf of the Company, on the Company's premises, or held in physical records sources. The policy also applies to voice and data communications equipment and software owned by SR LAW or personal equipment connected to the SR LAW network and to data in transit in SR LAW communications media.

1.2.3 Roles and responsibilities relating to information security

Data or system custodians

Unless stated otherwise by separate agreement, ownership of information, data and software within SR LAW is held solely by SR LAW and is not assigned or delegated in any way. All major information assets must be accounted for and have a nominated owner or custodian who is accountable for the implementation and management of this policy in relation to the asset. For further information on the role of data custodians, refer to F/1.1. The Information Technology Services Department maintains a list of custodians of information systems and resources

1.2.4 Responsibilities of individual users

SR LAW provides access to information datasets and systems to individual users based on their roles. All users must be aware of the security requirements for the systems they use and must take reasonable precautions to safeguard their access to these systems against inappropriate or unauthorised access.

General responsibilities relating to the use of information services and systems at SR LAW are outlined in the Acceptable use of information technology resources. All users must agree to use information services and resources in accordance with this policy, and will be expected to comply with published security measures which ensure that information networks and systems are not placed at risk of inappropriate or unauthorised access. A user must not bypass security mechanisms and virus management systems.

Any breaches of security requirements by an individual user may result in disciplinary or the suspension or termination of access rights and computer accounts, and may be reported to Law enforcement authorities for appropriate action.

SR LAW staff users may be granted access to valuable or sensitive information. Staff have a responsibility, both under this policy and other policies such as SR LAW's information privacy policy to maintain the security of such information. This responsibility applies not merely to information accessed whilst on Company premises, but also necessitates that appropriate care be taken when using private computers or networks. Information which is classified as protected or highly protected should not be moved out of an environment in which SR LAW's routine security arrangements (both physical and technical) apply.

1.2.5 Information security classification

SR LAW has a two-tier information security classification framework.

Information systems and resources (including physical corporate records resources) are classified according to their degree of criticality to Company business operations. Systems and resources vital to maintaining business continuity are given the highest classification within this framework. These classification levels apply to all information systems, services, network segments and physical areas and equipment in which these systems are housed or accessed. Physical and environmental security controls should be in place for areas where security classified information is processed or handled, which may restrict entry to authorised users only. All staff, students or external contractors are allocated a clearance level to determine what information systems they are able to access.

The second element of the security classification framework is based on the nature of the information contained within a given dataset. The Company uses the following classification levels for information (from least to most secured information):

These classifications are applied according to the value, importance and sensitivity of information, taking into account risk assessments, privacy, legal obligations, legislative requirements and commercial value. Where subsets of information within a given dataset are classified at a different or higher level of protection (for example, tax file numbers), appropriate security and access measures must be in place to reflect these varying security requirements. These may entail greater limits on view-only access, restrictions on the capacity to modify data, and similar safeguards.

All information resources must have a security classification approved by the relevant data or system custodian. Any changes to classifications must also be approved by that officer. Any data received from an external source must also be classified. In general it will inherit the classification of the information system for which it is intended. Use of alternative information classification schemes is permitted only where mapping to this classification framework is undertaken.

Copying, storage and transmission of data should be handled such that clearance levels match the classification of the data. For example, data classified as protected should be stored in an area or on a server classified as protected.

1.2.6 Access

Access to information systems at SR LAW is provided to staff and where appropriate external persons for the purpose of carrying out work or other activities as agreed with the Company. In general, access to data is regulated by guidelines and procedures defined for each service and is granted on the " least privilege " principle, in which each user is granted the most restricted set of privileges needed for the performance of relevant tasks.

Staff access

Access to add, delete or modify data must be commensurate with job responsibilities and position descriptions should adequately document data responsibilities and roles. Additionally, for IT systems, duties of system management, administration, audit and operational tasks should be carried out separately by different staff (the " separation of roles " principle).

Staff with more extensive privileges, whether in relation to information or systems, may be required to sign a confidentiality agreement either at the time of appointment or when the privileges are granted.

Access to information concerning technical solutions employed in the realisation of systems security controls is only available to specifically authorised staff.

Except for information classified as publicly available (for example, the home page of the Company's website) access to information systems at SR LAW must be controlled through user authentication and authorisation mechanisms. Physical access to protected or highly protected systems or equipment is controlled by designing appropriate isolation for sensitive computer and communications equipment and media. Specifically designated secure areas should be provided.

Third party access

Granting access to third parties must take full account of security risks involved and ensure that adequate controls to protect SR LAW's information assets are imposed (adequacy of controls must take into account the " least privilege " and " separation of roles " principles.

Responsibility for granting access rights

In general, the data custodian has responsibility for determining data security requirements and user access levels for the dataset or system, though responsibility for determining user access levels may be delegated. The decision on the granting of access for individual users is made according to the normal delegated authority processes of the Company. Decisions by a delegate authorised to grant access must be made in accordance with the considerations set out in this section, in particular, the " least privilege " principle and the " separation of roles " principle.

All users agree to abide by SR LAW's Acceptable use of information technology resources policy as a condition of access to SR LAW's systems. Access to SR LAW's systems without authorisation will incur an appropriate response by the Company, including, where appropriate, penalties or misconduct actions, or prosecution under the Law. Access to information assets at SR LAW is monitored.

Review of access rights

Whether undertaken through system design, automated processes or manually, it is a responsibility of all data custodians to implement a system whereby access rights are reviewed regularly (at least annually).

Revocation of access rights

The data or system custodian should ensure that appropriate mechanisms are in place for revocation or downgrading of access rights due to termination of employment, change of position or due to security breaches or other misconduct. Exit procedures for staff should revoke access to physical resources and buildings by cancellation of building access and return of keys.

1.2.7 Information security audits, monitoring and enforcement

The Company monitors its information assets and carries out detailed security audits of systems and data as required. As a result, SR LAW logs network activity and may use it to investigate faults, security breaches and unlawful activity. Where diagnosis of problems, investigations or security audits are required, the Company reserves the right to access individual files.

Business continuity plans for critical information systems must be developed and reviewed regularly. An inventory of business continuity plans and a schedule for their review should be tabled once a year at Information Technology Governance Committee.

This policy supports and complements State and Commonwealth Law. It should be emphasised that illegal access to and use of computer systems at SR LAW constitutes a crime under the relevant legislation.