Protect your data

Prior to the adoption of any new third-party service a risk assessment is required to be undertaken by the ISTS Cyber Security team to ensure that the business owner of the service acknowledges the risks involved in storing University data in an external system.

Cyber Security risk assessments are driven by university policy and ensure that appropriate organisational and legislative obligations are adhered to.

What do I need to do?

• You need to know the exact nature of the data that will be stored in the 3rd party system.
• This data should be correctly classified as per the UniSA Information Security Policy. The cyber security team is not responsible for classifying your data.
• If UniSA Legal have not already reviewed the terms and conditions of any contractual agreements prior to engaging the cyber security team, we may request that this is done if the risk and/or data is not classified as low.
• You need to ensure that the information provided in the initial request form is complete and accurate.

What will the cyber security team do?

The Cyber Security team will assess the information provided and then:

• Perform a technical solution review.
• Perform an assessment of the information security maturity of the vendor.
• Liaise with the Chief Information Security Officer for endorsement of the proposed solution.
• Seek executive level review and acceptance.
• Communicate outcomes to the business owner of the proposed solution.

What does the vendor need to do?

As part of the University’s vendor due diligence process, we need to have an adequate level of comfort that the vendor has sufficient security controls in place to protect UniSA digital assets.

• The vendor will be provided with an initial security questionnaire which gives the vendor the opportunity to provide evidence of their information security practices (We ask that this is completed as soon as practicable as it will determine if a more detailed questionnaire is required).
• Provide supporting documentation that substantiates their information security capability.

The ISTS Cyber Security team has an advisory role only in the assessment process. Should risks be identified risk acceptance is a decision for the business owner in line with the university risk management framework.

With an increasing amount of sensitive data being stored on personal devices, the value and mobility of smartphones, tablets, and laptops make them appealing and easy targets. These simple tips will help you be prepared in case your mobile device is stolen or misplaced.

• Encrypt sensitive information. Add a layer of protection to your files by using the built-in encryption tools included on your computer's operating system (e.g., BitLocker or FileVault).
• Secure those devices and backup data. Make sure that you can remotely lock or wipe each mobile device. That also means backing up data on each device in case you need to use the remote wipe function. Backups are advantageous on multiple levels. Not only will you be able to restore the information, but you'll be able to identify and report exactly what information is at risk. 
• Never leave your devices unattended in a public place or office. If you must leave your device in your car, place it in the boot, out of sight, before you get to your destination, and be aware that the summer heat of a parked car could damage your device.
• Password-protect your devices. Give yourself more time to protect your data and remotely wipe your device if it is lost or stolen by enabling passwords, PINs, fingerprint scans, or other forms of authentication. Do not choose options that allow your computer to remember your passwords.
• Be smart about recycling or disposing of old computers and mobile devices. Properly destroy your computer's hard drive. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
• Verify app permissions. Don't forget to review an app’s specifications and privacy permissions before installing it!
• Be cautious of public Wi-Fi hot spots. Avoid financial or other sensitive transactions while connected to public Wi-Fi hot spots.
• Keep software up to date. If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities.

It's important to understand where your data is stored and what requirements you need to follow for different data classifications to comply with UniSA policies and government legislation. Staff and researchers should be particularly aware of their responsibility when storing confidential information and/or research data.

The University provides a range of data storage solutions for meeting different storage requirements and can help ensure you are choosing an appropriate solution for your data.

Staff, students, and other individuals with access to UniSA information should understand UniSA's information security policies and guidelines and the importance of having good work practices that follow them. This helps reduce the possibility and effects of potential data breaches.

In addition to keeping soft copies of the University's data secure, staff and students should be aware of hard copies. Hard copies containing Confidential or Restricted information should be kept to a minimum and stored securely when not in immediate use. They should be shredded or placed in confidential bins once no longer needed.