IT Security Policy

This policy applies to all members of the University community whether at the University or elsewhere, and refers to all IT resources.

IT resources play a crucial role in the development and sharing of information and in supporting the advancement of knowledge at the University. The purpose of this policy is to ensure that the confidentiality, integrity and availability of IT resources are protected from intentional or unintentional damaging acts.

By implementing this policy the University will:

• protect against unauthorised access to, or unauthorised use or sharing of data that could potentially result in harm to the University or to members of the University community;
• protect against anticipated threats or hazards to the CyberSecurity of IT resources; and
• comply with legal requirements, University policies and any agreements binding the University to implement applicable CyberSecurity safeguards.

1. IT users at the University have individual and shared responsibilities to protect the confidentiality, integrity, availability of IT resources.

2. University applications, services and systems will be assessed in order to identify CyberSecurity risks and alignment with the University’s risk appetite.

3. Systems must be maintained within the risk appetite profile, or consistently with agreed exceptions.

4. Any exceptions to policies, standards and guidelines will be managed through the waiver process.

5. All members of the University community must be familiar with the CyberSecurity practices relevant to their role.

Heads of units are responsible for:

• ensuring that induction processes for staff members include CyberSecurity and IT policy awareness;
• planning ongoing awareness and training of CyberSecurity practices, commensurate with a staff member’s role, within training and development plans;
• unit collaboration on the implementation of the University-wide CyberSecurity programmes

Chief Information Security Officer (CISO) of the University is responsible for:

• directing and coordinating the University-wide IT Security Programme
• providing a focal point for oversight of serious CyberSecurity incidents
• establishing CyberSecurity metrics, tracking the progress of the IT Security Programme and providing a University-wide IT risk profile
• ensuring availability of appropriate information, education and training
• coordinating the assessment of applications, services and systems, and describing their risk posture.

The following definitions apply to this document:

Availability ensures timely and reliable access to and use of information.

Confidentiality concerns preserving restrictions on information access and disclosure so that access is limited to only authorised users and services.

CyberSecurity incident includes an attempted or successful unauthorised access, use, disclosure, modification or destruction of information, or interference with IT operation.

CyberSecurity safeguards are measures undertaken to protect IT resources.

Heads of units are deans, directors and the CEO of UniServices.

Integrity ensures that data has not been modified or deleted in an unauthorised and undetected manner.

IT resources refers to any University owned or operated hardware or software, including cloud software, and the data that is used or stored on it.

IT user means any member of the University community using IT resources.

Unit(s) refers to an organisational grouping across the University and includes a faculty, or research centre or service division or UniServices.

University means Waipapa Taumata Rau | University of Auckland and includes all subsidiaries.

University community: students, staff, alumni, supporters, the Council, visitors and contractors, when they are on campus, representing or associated with the University and in University-affiliated digital spaces.

Waiver process includes the application for an exception to a policy, standard or guideline, the approval of that application by the CISO, a Head of Unit, or their nominee, a record of that approval, and the periodic review of approvals granted.

Include the following:

• Data Governance Policy
• IT Acceptable Use Policy
• IT Privacy and Monitoring Policy
• Code of Conduct
• University Risk Management Framework

Owned by: Chief Digital Officer (CDO)
Content manager: Chief Information Security Officer
Approved by: Vice-Chancellor
Date approved: 24 May 2023
Review date: 24 May 2028