Visitor Access to IT Systems, Data, and Restricted Facilities Policy and Procedures Guidelines

Application

All University members acting as sponsors of visitors with access to restricted IT systems, data, or facilities, and all sponsored visitors requiring access to Waipapa Taumata Rau | University of Auckland beyond publicly available systems, data and facilities.

These guidelines should be read alongside the Visitor Access to IT Systems, Data, and Restricted Facilities Policy and Procedures Policy and Procedures and Scenarios.

Purpose

To ensure that visitors’ access to restricted University systems, internal, sensitive or restricted data, and restricted facilities is authorised through the correct procedures and that risks associated with visits are assessed and mitigated.

Guidelines

What is the Visitor Access to IT Systems, Data and Restricted Facilities Policy and why is it needed? 

The Visitor's Access Policy governs how visitors are granted access to University IT systems, internal, sensitive or restricted data, and restricted facilities. The policy is aligned to the New Zealand Government protective security guidance for managing inward visits and supports the University’s research security processes addressing espionage, interference and export controls. The policy also supports compliance with other legal obligations, including health and safety obligations, by ensuring that risks associated with visitors are carefully assessed and mitigated to the extent reasonably practicable. 

Who does this policy apply to?

The policy applies to all visitors, including student visitors and visiting student researchers, or non-university members, who require access to the University’s sensitive data, systems, or restricted facilities. This includes visitors to digital systems or data, even if they do not physically visit University property.

Casual visitors, such as public speakers and conference or event attendees, are not subject to this policy unless they require access beyond public facilities or publicly available information. The University Data classification standard provides more information on when data can or cannot be shared publicly.

School visits to restricted facilities must be sponsored and approved through this policy. Minors participating in the visit do not need to be registered, but adult chaperones should be registered as a sponsored visitors. Sponsors should work to find unrestricted meeting spaces when possible.

This policy does not apply to honorary and adjunct staff, contractors and subcontractors, service agents and technicians, consultants, co-locators, tenants, landlords and landlord’s agents. The process these University members go through is managed by their line manager, co-location host or tenancy host.

What is the Sponsored Visitor Registration Form?

The Sponsored Visitor Registration Form will be a new form populating a visitor’s database. In addition to recording basic information about the visitor and sponsor, this form will record the purpose of the visit, assist the approval authority with identifying risks associated with a prospective visitor, and help identify policies, procedures, controls, and building-specific processes relevant to the activities to be undertaken by the sponsored visitor. Guidance in this form will also help the approval authority understand when a request should be escalated to the Risk Office or Research Risk & Compliance Office for specialist advice.

What is the difference between a low, medium and high-risk visits?

The policy applies the same criteria as the University’s technology risk assessment for international travel requirements when classifying visits as low, medium or high-risk.

Visitors from countries subject to New Zealand or United Nations sanctions are considered high-risk for all types of data that the visitors may have access to. A visitor is 'from’ a country if they ordinarily reside that country or are affiliated with an organisation based in that country. The term affiliated includes as a student, as an employee, or as a contractor or consultant. If a visitor is from a low-risk country but is employed by or affiliated with an organisation based in a high-risk country, the risk assessment should be based on the organisation’s country of origin, given the potential for indirect exposure to export control and data security.

Visitors from European Union (EU), Organization for Economic Cooperation and Development (OECD) and Pacific Island countries are considered medium-risk for restricted data and low-risk for internal and sensitive data.

Visitors from all other countries are considered high-risk for restricted data and medium-risk for internal and sensitive data. Please refer to the table at the end of this guideline for detailed risk classifications by country.

What is the significance of a visit being classified as medium risk or high risk?

Approval authorities considering medium-risk and high-risk visits should obtain specialist advice from the University Risk Office who may in turn refer the matter to the University’s Research Risk and Compliance Manager or New Zealand Government agencies for further specialist advice.

How do I sponsor a visitor to have access to IT Systems, Data, and Restricted Facilities?

As a sponsor, you must:

  • Be a University staff member
  • Obtain written approval from a Level 3 manager or above, like an academic head, DFO or their delegate.
  •  Ask your visitor to create a University Identity.
  •  Complete the Sponsored Visitor Approval and Registration Form, and arrange for completion of the IT Service Access for Contractors, Visitors & External Collaborators form on behalf of your visitor.
  • If your visitor requires access to restricted facilities, follow the processes set by the space manager for the specific facility, and make sure your visitor completes any necessary induction, training and/or access requirements for the facility.
  •  Ensure your visitor understands and complies with University policies and completes any required training.
  • Oversee your visitor during their stay and de-provision their access once the visit concludes.

When should I decline to sponsor or approve a visitor?

Although we are an open University and embrace collaboration, providing unsupervised access to restricted facilities, IT systems, and internal, sensitive or restricted data should be carefully considered.

If someone you don’t know or don’t have a reason to collaborate with reaches out to ask that you share sensitive data or access to a restricted facility, you should decline their request.

If you are asked to sponsor or approve a visitor who may present any health & safety, security, privacy, reputational or financial risk that falls outside the University’s Risk appetite, you should consider declining the request, or reach out to relevant parties or committees to discuss the request.

If you are asked to share internal, sensitive or restricted data, IT systems, or access to a restricted facility with visitor who may present any health & safety, security, privacy, or financial risk that falls outside the University’s Risk appetite, you should consider declining the request, or reach out to relevant parties or committees to discuss the request.

Te Kāwanatanga o Aotearoa | New Zealand Government offers additional guidance on managing inwards visits.

Country Risk Classification Table
Visitor Risk Categories Restricted
 areas, data, and systems
 Internal / sensitive data and
systems

Visitors from countries subject to sanctions HIGH HIGH
Visitors from countries not sanctioned or listed below HIGH
MEDIUM
Visitors from New Zealand, EU, OECD and Pacific Island countries MEDIUM LOW