As Australia’s higher education regulator, TEQSA protects the quality and integrity of the Australian higher education sector and expects providers to manage sensitive information, such as intellectual property, research data and personal details, responsibly. This includes establishing and enacting measures to identify and manage cyber security risks.
Higher Education Standards Framework provisions
Under the Higher Education Standards Framework (Threshold Standards) 2021, providers are required to maintain their information security systems by:
- ensuring that information systems and records are securely and confidentially maintained to prevent unauthorised or fraudulent access to private or sensitive information (standard 7.3.3(b))
- promoting and fostering a safe environment, including by advising students and staff on actions they can take to enhance safety and security online (standard 2.3.4)
- having a critical incident policy and readily accessible procedures (standard 2.3.5)
- taking preventative action to mitigate foreseeable risks to academic and research integrity (standard 5.2.2)
- exercising due diligence to identify, prevent and manage risks within a provider’s remit of operations (domain 6).
To ensure compliance with these obligations providers should:
- have measures in place to understand the nature of cyber threats faced by their institution. Senior management and the governing council need to stay abreast of existing and emerging threats to inform and support the whole-of-institution risk mitigation strategy
- ensure students and staff (including sessional staff) receive appropriate training on how to safeguard sensitive information and report concerns
- have appropriate policies to identify and address cyber security incidents and embed such policies effectively into daily operations
- be aware of cyber security threats associated with learning management systems (LMS), particularly if courses are delivered by a third-party provider
- take prompt action in accordance with their security and incident response plans, paying close attention to the wellbeing and safety of all affected parties.
Cyber security