Skip to content

Cyber Security Strategy 2021 - 2025

Vision

The University of Southern Queensland will be renowned for our innovation and excellence in education, student experience, research and engagement. 

Strategic imperatives

  • Strategic growth
  • Differentiation
  • Innovation
  • Sustainability
Our strategic approach

Mission

To support USQ's objectives by securely enabling its initiatives and operations while protecting it from threats to the availability, integrity and confidentiality of systems and data. 

We will benchmark against the ASD/ACSC Strategies to Mitigate Cyber Security Incidents, and extend and adapt to meet the specific needs and challenges of the Higher Education sector. 

Cyber Security Strategy principles 

Objectives

  • Align with enterprise risk tolerance and expectations
  • Understand, learn from and respond to our environment
  • Implement effective measures to protects against known threats
  • Have resilience systems and processes against unforeseen threats
  • Detect threats that were not able to be protected against
  • Rapidly respond to events and incidents
  • Recover to normal operations as soon as feasible and possible
 
 
Govern Protect Detect Respond & Recover
  • Monitor overall risk exposure
  • Prioritise activity based on evidence
  • Monitor for effectiveness
  • Block known threats
  • Build resilience in staff and systems
  • Detect threats we can't block
  • Rapidly respond to events and incidents
  • Safely return to known good state
  • Based on data, continuously improve
 How we will connect activity to strategy
  • Maintain and review strategy
  • Consult with stakeholders
  • Oversight major initiatives
  • Monitor key risks and metrics
  • Resource appropriately
  • Secure network perimeter
  • Harden endpoints
  • Mitigate phishing
  • Control identity and access
  • Build awareness and education
  • Seek external threat intelligence
  • Monitor for anomalies
  • Monitor systems, endpoints and access
  • Data loss prevention
  • Automate response and recovery where possible
  • Analyse incidents
  • Communicate
  • Practice recovery
 2021 major cyber security initiatives
  • New Cyber Security Strategy
  • New benchmarking against ASD essential 8 and HE sector
  • Counter foreign interference framework
  • Revitalised awareness and education program
  • Phishing simulation
  • Expansion of endpoint and identity controls
  • Expand event capture and machine learning analysis
  • Internal threat detection platform
  • Security orchestration and automated response platform
  • Major cyber security exercise
 How we will report
  • Benchmarking results against ASD essential 8 and HE sector
  • Control improvement initiatives
  • Internal strategy aligned metrics (network, endpoint, phishing)
  • Perimeter network blocking activity
  • Phishing attempts blocked
  • Phishing simulation results
  • Endpoint malware detections
  • Account compromise
  • Incidents causing significant business impact
Disruption to Service

External threat actors (criminals, nation states, activists) seek to deny access to (DoS), disrupt, deface and inappropriately access and use our systems and resources.

If we don't protect our systems from external malicious disruption or influence, critical business process will be negatively impacted effecting the student experience, our ability to produce research and engage with our communities. 

Reputational Risk 

Cyber incidents can be highly visible in the media and broadly reported and discussed. 

If we fail to broadly address cyber threats and account for reputational considerations, we may lose market standing, suffer impact due to perceived negativity about our brand, and degradation of our partnerships. 

Loss of Data

Data is valuable and desirable for cyber criminals, nation states and malicious individuals to attain (theft) or deny access to (ransomware). Threats can be external actors, external actors who have managed to gain internal access, or internal. As a custodian of data (including sensitive research), its loss can not only affect USQ, but also those we hold data on behalf of. 

If we don't protect our data, we run the risk of reduced user confidence, negative media coverage, negative external compliance scrutiny and impacted business processes. 

Financial Impact

Key business process are increasingly digitalised and critical to 'normal' business operation.

If we don't pay attention to cyber fraud, financially motivated threats, or business interruption motivated attacks, USQ faces a potential financial impact, impacting our sustainability and growth imperative. 

Third Party Risk

We partner with and consume services from external organisations. They have risks which we must be aware of and manage to mitigate impact upon USQ. 

If we don't effectively manage our external partners, we risk failing to meet our aspirations and expectations due to failing in our supply chain and our partners. 

Regulatory and Compliance

Government, regulators, funding bodies and partners have expectations and requirements. Expectations for protections against foreign interference is increasing and is forecast to continue to increase. 

If we fail to maintain compliance, we will be subject to negative public and regulator perception, and increased cost of compliance going forward. 

Cyber Security Strategy 2021 - 2025