Cybersecurity Policy

Purpose

This Cybersecurity Policy establishes a structured framework to safeguard Alphacrucis University College’s (AC) digital information, systems, and infrastructure. The primary aim is to progressively ensure the confidentiality, integrity, and availability of institutional data. This policy aligns with relevant legal, regulatory, and educational standards. It also serves to guide the implementation of robust cybersecurity controls, while fostering a culture of security awareness and shared responsibility among all users.

Scope

This policy applies to all individuals and digital assets that interact with the AC's information systems. It includes:
• All employees, contractors, and third-party vendors who access AC resources
• All students who utilize AC-owned platforms and systems
• All computing devices, software applications, network services, and cloud-based technologies connected to AC’s infrastructure

Policy

Key Principles

This section outlines the foundational principles guiding AC’s approach to cybersecurity. These principles represent the philosophical and operational basis on which all other security practices are established.

• Risk Management: Cyber risks are dynamic and will be continuously evaluated and managed based on their potential impact on the institution’s operations, data, and reputation. Risk assessments will inform security controls, policy updates, and mitigation strategies across systems and business units.
• Data Protection: AC is committed to the confidentiality, integrity, and availability of its data. This includes safeguarding sensitive information such as academic records, personnel files, and proprietary research. Protections will extend across all stages of data processing – from creation to archival – and apply to both physical and digital forms.
• Compliance: Cybersecurity practices at AC will align with applicable laws and frameworks, including the Australian Privacy Act 1988, TEQSA requirements, and ACSC guidelines. Compliance efforts will be documented and reviewed regularly to ensure sustained accountability.
• User Responsibility: Security is a shared responsibility. Every user - whether staff, student, or vendor is expected to act with diligence, adopt secure practices, and report potential threats. Awareness and compliance at the user level is key to maintaining an effective security posture.  

Governance

Cybersecurity governance is essential to maintaining consistent and accountable security practices across AC. Director IT will lead the implementation of this policy. To support continuous improvement, periodic internal reviews and third-party assessments, such as the ACSC’s Essential Eight maturity model, may be employed to evaluate progress and guide enhancements.

 

Security Controls

To operationalize its cybersecurity principles, AC has implemented a range of layered security controls. These controls span system access, device management, network segmentation, data encryption, secure development, and more. Each is outlined below.

 Access Management

Access to digital resources will be regulated based on identity, role, and business need:

• Every user will be assigned a unique ID to ensure traceability and accountability.
• Role-Based Access Control (RBAC) will be enforced, restricting data access according to predefined roles and responsibilities.
• Multi-Factor Authentication (MFA) is mandatory for staff, students, and contractors to provide an additional layer of defence.
• Access rights will be reviewed quarterly to ensure ongoing appropriateness and to reduce exposure.                        

Endpoint Protection

Endpoints such as desktops, laptops, and mobile devices must be secured whether they are AC-managed or personally owned:

• Institution-owned devices must be equipped with antivirus software, host-based firewalls, and full-disk encryption.
• Personally owned devices that connect to AC systems must utilize secure access technologies such as virtual private networks (VPNs).
• IT will monitor endpoint compliance and may restrict access for non-compliant devices.                                           

Network Security

Network infrastructure will be fortified using modern security tools and methodologies:

• Sensitive systems will be segmented from general-use networks to limit lateral movement in the event of compromise.
• Firewalls, intrusion detection systems (IDS), and anomaly detection tools will be deployed to monitor and block unauthorized traffic.
• Regular vulnerability scans and scheduled penetration testing will be used to proactively identify and address weaknesses.                                                                                                                                         

Data Security

All institutional data must be protected according to its classification and sensitivity:

• Encryption will be used for data in transit (e.g., transmitted over networks) and at rest (e.g., stored on disks) where technically feasible.
• Cloud storage providers should preferably be based in Australia or certified by IRAP (Information Security Registered Assessors Program).
• Backups and disaster recovery plans are to be maintained and tested regularly for critical systems.              

Secure Development

Development and maintenance of software must adhere to secure engineering principles:

• All in-house development projects will follow secure coding standards and undergo regular code reviews.
• Third-party and open-source libraries must be vetted for vulnerabilities before integration.
• Patching will follow a consistent schedule: operating systems and major applications will be patched automatically, while platforms like Moodle follow structured release cycles. Hardware patching will occur on an ad hoc basis based on vendor guidance.                                                                                                              

Incident Response                         

Quick and effective response to security incidents is crucial to limiting damage:

• All users must report suspected cybersecurity incidents to the IT Team within 30 minutes of discovery.
• Incidents deemed critical will be escalated to senior leadership and, where required, reported to the Australian Cyber Security Centre (ACSC) as per national guidelines.                                                                   

Awareness & Training

Building a security-aware culture is central to the success of this policy:

• Cyber Security awareness training will be available to all staff on an annual basis.
• The IT Team will conduct phishing simulations at least once per year to assess readiness and identify gaps.
• Ongoing guidance and resources will be provided to promote secure usage of common platforms such as email, Microsoft 365, and mobile applications.                                                                                                            

 

Third-Party & Vendor Risk

External vendors and partners can introduce cybersecurity risks and must be managed accordingly:

• All third-party vendors handling institutional data must sign a data protection agreement that outlines their responsibilities and liabilities.
• Critical vendors will be reviewed periodically to assess their security posture and performance.
• Cloud service providers must demonstrate compliance with ISO 27001 or comparable security certifications.               

Policy Compliance

• Violations of this policy may result in disciplinary action, which may include access restrictions, HR involvement, or termination.
• Any deviations from the policy must be formally documented and approved in writing by the Director IT.

Review and Updates

This policy is a living document and will be reviewed:

• Annually, as part of AC’s broader governance and compliance cycle; or
• After any major security incident, audit recommendation, or regulatory update that materially affects its scope or implementation.

Responsible for implementation

Director IT