Foreign Interference Bond’s Cyber Security response Objective and Scope This paper documents Bond’s compliance with the Cyber Security principles extracted from the new Guidelines to Counter Foreign Interference in the Australian University Sector which have been issued by the Australian Government. The guidelines are not mandatory, however, Bond is working towards compliance. In summary, the key overarching principles that guided the development of these guidelines are: • security must safeguard academic freedom, values and research collaboration; • research, collaboration and education activities mindful of the national interest; • security is a collective responsibility with individual accountability; • security should be proportionate to organisational risk; and • the safety of our university community is paramount. The guidelines have 5 key themes, one of which is cyber security: Protecting information held on ICT systems through the development and implementation of robust cyber security strategies, engaging with Commonwealth agencies, sharing best practice and cyber threat modelling. The key areas for cyber security are: 1. implementation of university cyber security strategies; 2. cyber-intelligence sharing across the sector and with government; 3. cyber security as a whole-of-organisation “human” issue, with strong emphasis on a positive security culture; and 4. cyber threat-models to understand and mitigate business risks Each of these areas are covered in this document, with Bond’s response to each recommendation from the University Foreign Interference Taskforce (UFIT)
Foreign Interference Bond’s Cyber Security response 1 - Implementation of university cyber security strategies UFIT Recommendation Bond Response Cyber strategies are based on an Bond has a risk-based approach to cyber security. A understanding of, and are cyber security risk management procedure is used to 1 proportionate to, the risks the access risks against defined tolerances and identify university may face from cyber suitable controls. The elements of the cyber security threats and potential vulnerabilities framework collectively define a security baseline designed to promote the objectives of the University whilst managing cyber security risk to an acceptable level. Bond’s approach to cyber security draw upon a Cyber strategies draw on existing number of frameworks such as: frameworks such as the Information • ISF Standard of Good Practise for Information Security 2016; 2 Security Manual (ISM), Essential 8 or National Institute of Standards and • NIST Cybersecurity Framework; • ISO27001 and ISO27002; and Technology to develop a coherent • ASD Essential Eight. and complementary set of safeguards Bond regularly collaborates across the sector and with trusted organisations. Cyber strategies enhance sharing of Collaboration and relationships with other higher 3 strategies and expertise across the education institutions strengthen our internal information security capabilities and contribute to sector broader initiatives to reduce the impact of cyber threats. Bond contributes to intelligence sharing initiatives across and beyond the higher education sector. Bond also participates actively in the QUDIT ICT Security & Identity Management Community of Practice (CoP) and the CAUDIT Cybersecurity CoP.
Foreign Interference Bond’s Cyber Security response UFIT Recommendation Bond Response Bond has developed a suite of security frameworks and documents including: Cyber strategies assist to develop a • Newly revamped Information Security policy core set of design and operational • Cyber security mitigation strategy matrix 4 documents, policies and procedures (to guide risk identification and highlighting our cyber security maturity and management); alignment • A large number of information security procedures • Non-functional requirements for cyber security used in procurement and software selection Cyber strategies encompass aspects • Bond has a good cyber security culture supported by a simulated phishing 5 of security culture, governance, programme, regular communications to supply chain, technical controls and provide cyber security awareness, a new website and cyber security presentations and data learning awareness sessions for staff and students. • Bond's enterprise and IT governance are leveraged to drive consistent approaches to cyber security that are aligned with Bond University objectives. • Supply chain risk is managed by incorporating cyber security requirements into Bond’s ICT procurement framework.
Foreign Interference Bond’s Cyber Security response UFIT Recommendation Bond Response Consider methods to track the The following changes in security metrics will be 6 progress and effectiveness of a used to track the success of cyber security initiatives: university's cyber security strategy • reduced residual information security risk to Bond • increased risk mitigation due to implemented security controls • increased level of maturity against best practise frameworks • reduction in the average resolution time for security incidents • increased proportion of users that have registered for Multi-factor authentication • increased proportion of users that have completed simulated phishing exercises and respond appropriately to malicious emails • increased proportion of hosts where security Operating System and application patches are up-to-date. ITS will also deliver a semesterly dashboard / scorecard to the University Executive with progress updates on key projects and statistics relating to cyber security risks and incidents.
Foreign Interference Bond’s Cyber Security response 2 - Cyber-intelligence sharing across the sector and with Government UFIT Recommendation Bond Response Bond uses AusCERT's Information Sharing & Analysis Centre as well as REN-ISAC (US Research & Education Share sensor data and other threat Networks Information Sharing & Analysis Centre) to intelligence (however, the receive and share threat intelligence. 1 discretion to do so, and to what extent, always remains with each We plan to ingest the ISAC data into Splunk, our Threat university) intelligence software, in the future, but we are currently receiving ISAC data via email or by logging into the MISP platform. Bond participates in sector briefings and forums including: Participate in sector briefings and • CAUDIT briefings forums convened by the • QUDIT briefings and CoP 2 Australian Cyber Security Centre • QuestNet conference and CoP (ACSC) and other security • AusCERT conference and briefings agencies • ACSC Partnership in place with confidentiality deed signed by Bond’s legal counsel. • AHECS (Australasian Higher Eduction Cybersecurity Service) Consider joint incident 3 management arrangements with No arrangements in place at this time. other universities, to help build surge capability 4 Share insights on cyber security- Bond communicates with other universities when related technology choices analysing cyber security technologies, regularly via ACSC, AHECS and AusCERT Slack channels. For example, Bond discussed the best technologies for the Multi-Factor Authentication project with some other universities.
Foreign Interference Bond’s Cyber Security response UFIT Recommendation Bond Response Consider secure methods of Bond uses the SPLUNK platform to securely store data 5 storing and transmitting shareable and logs to facilitate threat intelligence. cyber-intelligence Ensure data sharing arrangements Bond's processes including delegation framework and procurement framework ensures that privacy principles 6 accord with the principles of are adhered to when using third parties to process Bond privacy and any commercial data. Guidelines for research collaborations are also published. considerations Maintain a current list of Bond’s Planning Department maintain relationships with 7 government security agency government agencies. contacts
Foreign Interference Bond’s Cyber Security response 3 - Cyber security as a whole-of-organisation \"human\" issue, with strong emphasis on a positive security culture UFT Recommendation Bond Response Calibrate cyber security Bond carefully calibrates security messages and cultural messages and cultural change change programs in order to engage all levels of the programs to the unique University structure. Examples of audiences include: 1 challenges and expectations of its different user groups i.e. • ITS staff researchers, staff, students and • University Executives and Senior Management executives • Staff (e.g. lock screens, email signatures, Daily Engage all levels of university Digest articles, staff intranet and Bond’s website) 2 structures, including councils, • All staff and students (e.g. digital signage, to help embed and drive a Student Portal notifications, email distribution) • Risk and Audit Committee briefings positive cyber security culture • Papers to University Management Committee (UMC) and Council Align cyber safe culture Communications regarding cyber security projects and activities include references to key cyber security 3 programs to the other elements messages and themes. In 2019 the information of a university’s cyber security governance program and cyber security improvement program aligned its communication campaign to ensure strategy maximum awareness and retention occurred. Frame cyber security All of Bond's cyber security messaging is delivered through the lens of the audience, reducing the use of 4 challenges and solutions technical terminology and relating to the user. Cyber through the lens of users not security advice is couched in terms that provide individual benefit (e.g., personal devices, family / at- just technology home use) as well as benefit to Bond. Emphasise the overarching 5 principle of collective and Key messages to all members of the Bond community individual responsibility in a are that Cyber security is everyone’s responsibility. mature cyber safe culture
Foreign Interference Bond’s Cyber Security response Cyber security is promoted as an enabler, and aligns with BOND's key objectives of: Promote cyber security 1. Program – delivering innovative programs capabilities as an enabler and attuned to industry and market needs 6 safeguard for academic freedom and free intellectual 2. Practice – providing a service-oriented culture enquiry focussed on outcomes 3. Profile – Raise our reputation, brand and the profile and impact of our research 4. People – Promote commitment, agility and responsiveness within our workforce culture Programs are run for Digital Transformation and Hacking, Networks and Security – both of which we have included cyber security awareness presentations from IT Services to students. Intellectual property and collaboration in relation to privacy and research & academic endeavours are also front of mind. Share approaches on creating Bond makes use of freely available security materials and embedding cyber safety such as the Australia Government's \"Stay smart online\" messages and practice mindful handbook. 7 of the commonality of some cultural challenges, and the mobility of personnel between campuses
Foreign Interference Bond’s Cyber Security response 4 - Cyber threat models to understand and mitigate business risks UFT Recommendation Bond Response Regular guidance from ACSC and Bond Information Security staff monitor threat reports from many sources, including the ACSC, 1 other security agencies to enhance REN-ISAC, AusCERT and different vendor understanding of the nature of the reports. threats faced Tie threat models to sources of threat Bond maintain a threat landscape, consisting of a 2 intelligence; and regularly update to high-level risk analysis of different actors and align to current and emergent threats techniques which is updated regularly. Encouragement for universities to Bond will raise this with the QUDIT ICT Security share threat models with each other & Identity Management CoP and 3 and government agencies to develop CAUDIT Cybersecurity Community of Practice. a common threat picture, and potential sector-wide mitigations Threat models that help guide and The Bond risk and threat landscape is used to inform cyber security risk assessments and 4 refine university cyber security subsequent funding for enhanced controls. strategies as well as capability investment Threat-models developed with input To date, Information Security staff have been involved in the development of threat models. from a broad set of organisational Risk assessment training has been conducted 5 ‘risk owners’. Training for risk across different organisational units which incorporates consideration of the Bond threat owners and executives in threat landscape. modelling thinking may assist
Search
Read the Text Version
- 1 - 9
Pages:
