IT Security Policy


This policy applies to all members of the University community whether at the University or elsewhere, and refers to all IT resources.


IT resources play a crucial role in the development and sharing of information and in supporting the advancement of knowledge at the University. The purpose of this policy is to define responsibilities within each unit for maintaining the security of the IT resources under their control.

By implementing this policy the University will:

  • protect against unauthorised access to, or unauthorised use or sharing of data that could potentially result in harm to the University or to members of the University community
  • protect against anticipated threats or hazards to the security of IT resources
  • comply with legal requirements, University policies and any agreements binding the University to implement applicable security safeguards


  1. IT users at the University have individual and shared responsibilities to ensure the protection of  IT resources.
  2. Each unit will develop, maintain, and implement an information security plan.
  3. The plan will identify applicable regulations and will define unit security safeguards.
  4. Each unit will identify and track sensitive and critical data under its control.
  5. Each unit will periodically conduct risk assessments around its sensitive and critical data.
  6. Risk assessments will prioritise risks and recommend appropriate mitigation strategies.
  7. Each unit will report and manage IT security incidents in accordance with the security incident reporting procedure.

Responsibilities for implementation

Heads of units are responsible for:

  • communicating and applying IT policies within their unit
  • assigning individuals to unit information security roles, ensuring they are properly trained and ensuring their on-going participation in University-wide security activities
  • ensuring the implementation of information security plans within their unit
  • ensuring unit collaboration on the implementation of the University-wide IT security programmes

The Chief Digital Officer of the University is responsible for:

  • directing and coordinating the University-wide IT Security Programme
  • determining unit level compliance with this policy
  • providing a focal point for oversight of serious security incidents
  • establishing security metrics, tracking the progress of the IT Security Programme and providing a University-wide IT risk profile
  • ensuring availability of appropriate information, education and training


The following definitions apply to this document:

Critical data refers to the importance of the data to the operation of the University

Heads of units are deans, directors and the CEO of UniServices

IT resources refers to any University owned or operated hardware or software and the data that is used or stored on it

IT security incident includes an attempted or successful unauthorised access, use, disclosure, modification or destruction of information, or interference with IT operation

IT user means any member of the University community using IT resources

Security safeguards are measures undertaken to protect IT resources
Sensitive data refers to data whose unauthorised disclosure may have serious adverse effect on individuals or on the University’s reputation, resources, or services

Unit(s) refers to an organisational grouping across the University and includes a faculty, or research centre or service division or UniServices

University means the University of Auckland and includes all subsidiaries

University community includes all staff (whether permanent, temporary or part time), honorary staff, students (whether full time or part time), contractors, subcontractors, consultants, alumni, associates, business partners or official visitors or guests of members of the University or UniServices

Document management and control

Owned by: CDO

Content manager: IT Risk and Strategy Manager

Approved by: The Vice-Chancellor

Date approved: January 2017

Review date: January 2020