Version Information
Fri, 31 Mar 2023
Approved by: Governance Board
Current Version: V1.1
Replaces Version: V1.0
Next Review: Fri, 31 Dec 2021
Domain:
Institute
Information Management and Security Policy
Purpose
This policy is designed to ensure that appropriate information technology management and security measures are in place to protect Metavision Institute’s information and assets against unauthorised access and use, or modification by human error, ensure staff and students have continuous access to Information Technology systems, and mitigate risks and damage arising from the use of information and assets. The policy outlines the governance and monitoring framework for use and protection of Metavision Institute’s information assets and systems.
Scope
This policy applies to all staff, contractors, third parties and students who use Metavision Institute’s information systems and assets.
Definitions
Continuity of access: Measures taken by Metavision Institute to ensure staff and students have continuous and secure access to the Institute’s IT systems and course materials made available through the Student Management System and Moodle Learning Management System, Sophia.
Cyber breach: malware, computer hacking, ransomware, denial of service attack, or other breach.
Cyber security: protection against cyber breach or accidental modification or release of information.
Information assets: records stored on Metavision Institute’s computers and backed up on the cloud, and data stored in the Learning Management System, Student Management System and the website.
Relevant TEQSA Threshold Standards
This policy aligns with requirements of 6.2.1e Corporate Monitoring and Accountability to identify, manage and mitigate risks and 7.3 Information Management in the Higher Education Standards Framework 2015.
Policy
- This policy reflects Metavision Institute’s commitment to protect its information assets and appropriately manage its information systems to minimise risks to cyber security and ensure continuous and secure access to online course materials and learning tools by staff and students. The policy is aligned with the Risk Management Framework.
- Metavision Institute is committed to ensuring the integrity of its information and data, and that all authorised users have appropriate and continuous access to information systems for the purpose of study and administration of its higher education courses.
- A business continuity plan is established and maintained by senior management to ensure Metavision Institute has the capacity to quickly respond to a disaster, security or cyber breach or unscheduled downtime, and to restore its information assets and systems to prevent disruption to staff and students. The possibility of system breaches and unscheduled service downtime is continuously monitored by Metavision Institute Information Technology staff.
- Metavision Institute’s website is the key repository of publicly available information about its higher education operations as per Threshold Standard 7.3 Information Management, including:
- Provider registration and course accreditation status,
- Board and Committee members and senior executive staff,
- Organisational chart,
- Financial standing,
- Indicative total student enrolments,
- An overview of facilities and services, and
- How to lodge a complaint.
5. Metavision Institute’s information management systems enable prospective and current students to readily and continuously access timely and relevant information about policies, procedures, course offerings, important dates, how to contact staff and the availability of student support services.
Implementation
1. Information is classified according to its sensitivity and critical nature for operations. All data stored in computers, the Learning Management System, Student Management System and website is securely and routinely backed up on cloud-based services.
2. Data storage capacity is regularly monitored and reported to the Executive Committee.
3. Software and infrastructure is kept up to date according to upgrade cycles of relevant applications, libraries or components, for example, Moodle and Python. Security or Vulnerability notices are monitored and acted upon promptly by the IT Manager.
4. Adequate controls are implemented to prevent, detect, remove and report any data breach, attempted data breach or service disruption in relation to Metavision Institute’s information assets. All attempted and actual data breaches, and unscheduled system downtimes, are recorded in the Risk Register and reported to the Executive Committee and Governance Board.
6. User accounts (email and password) are managed by the Student Management System but are actually Google accounts and authentication is handled by Googles authentication system via G-Suite Single Sign On, which provides secure access via one method to the Student Management System, Moodle eLearning tools and G-Suite applications.
7. Staff, contractors and governance committee members are provided with and use Metavision Institute email addresses with signature blocks to communicate with students, other staff and stakeholders in relation to their official work roles at all times.
8. Each user is provided with a unique username and password for accessing Metavision Institute’s information systems. Metavision Institute has in place a system of authentication management. The Student Management System uses groups, roles and permissions to grant access to privileged areas of the system only to members within appropriate groups or with appropriate permissions. Moodle also has strong role-based permissions system. These permissions provide robust and tight control over access to secure and sensitive information.
9. Appropriate planning, controls and system testing are applied when upgrading or installing software on Metavision Institute’s computers, Student Management System, Learning Management System and website, including forewarning of any planned downtime that cannot be avoided.
Responsibilities
The Governance Board is responsible for ensuring that the Business Continuity Plan clearly articulates the mechanisms for protecting Metavision Institute’s information assets and systems.
The Executive Officer is responsible for the implementation of this policy and for reporting to the Governance Board on risks and mitigation of risks to information management systems.
The IT Manager is responsible for technical implementation and for monitoring the possibility of system breaches and service disruptions to ensure continuity of service for staff and students.
Line managers are responsible for inducting new staff in the requirements of this policy.
All authorised users of Metavision Institute’s information systems are responsible for responsible use.
Related Documents
- Business Continuity Plan
- Risk Management Framework
- Risk Register