Cyber Security Approach
CECV follows a Defence in Depth (layered) approach to cyber security and aligns with the National Institute of Standards and Technology (NIST) security standard in developing, maintaining, and protecting the ICON system. No one security control is a perfect foil against all cyber security threats and vulnerabilities.
This means that there are several layers of cyber security protecting confidentiality, integrity, and availability of ICON data and services, including:
Policies, Procedures, and Awareness;
Testing, Monitoring, and Detection;
Desktop and User security – Where staff, students, and parents interact with the system;
Application and Data security;
Enterprise Perimeter security – Data communication
Figure 1 - Defence in Depth
Figure 1 illustrates how these various layers, containing preventive and detective security controls, combine to protect data and systems.
Cyber Security Incidents
CECV follows a formal cyber security incident response process that is put into action whenever a cyber incident is raised. Cyber security incidents must be reported to the CECV service desk.
A cyber security incident describes an adverse event where there is a breach of a system’s security policy that requires corrective action. A cyber security incident is potentially a serious event given it can compromise the confidentiality, integrity, and availability of ICON.
Examples of cyber security incidents which could affect ICON include but are not limited to:
A Distributed Denial of Service (DDoS) attack on an ICON system which has impacted the service availability by increasing traffic to the point of making it inaccessible or unusable;
Compromise or disclosure of commercially sensitive or personally identifiable information;
Compromise of network account credentials;
Unauthorised use of ICON;
Ransomware or malware has infected a single machine or segment of the network.
Data Breach Notification
The Notifiable Data Breach Scheme (NDBS) came into effect on 22 February 2018. Details about the NDBS and school obligations were published in COMS and are available on CEVN at https://cevn.cecv.catholic.edu.au/Melb/Document-File/School-Improvement/ICT-Advice/CECV-Notifiable-Data-Breach-Scheme.
The following guide on when to report a data breach is extracted from the Office of the Australian Information Commissioner (OAIC) website located at https://www.oaic.gov.au/privacy/notifiable-data-breaches/.
An eligible data breach occurs when:
there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
this is likely to result in serious harm to one or more individuals, and
the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action
Role of Schools and Offices
Studies have shown that one of the best ways to improve and ensure the security of information is through raising awareness of cyber security. Practising good cyber hygiene habits have been proven to be a very effective way to reduce the risk of a cyber incident.
Whilst ICON data is stored within a secure environment, with multiple layers of protection, staff at schools and offices can contribute by:
Remaining alert to email and telephone scams (e.g. phishing, whaling, vishing, etc.) attempting to discover login details;
o Be wary of emails from unknown senders or that are unexpected;
o Don’t open attachments or click on links that are suspect or not work-related. Follow up with a phone call to verify the authenticity if needed;
o If a link looks authentic, type it into your browser manually to make sure you are going to the genuine web site;
o If someone unknown calls you wanting information or to verify details, consider asking for their company name and contact number so you can call them back. Do a search to check the number belongs to that company. Call them back if it is genuine.
Storing downloaded ICON data and reports containing sensitive Personally Identifiable Information (PII) in secure locations such as network drives and folders that have restricted permissions (local hard drives and USB are not typically secure);
Reporting ICON related cyber security incidents or data breaches to the CECV service desk;
Don’t share your username or password, and don’t store them where anyone can access them. Using software like ‘KeePass’ can help those that find remembering passwords a challenge.
Using reputable end-point protection (anti-virus) software on your computer;
Locking or logging off your computer when unattended;