Red X iconGreen tick iconYellow tick icon
Skip to main content
CategoryInformation & Communications Technology
TypePolicy
Approved byVice-Chancellor
Date Policy Took Effect30 May 2023
Last approved revision 
SponsorChief Operating Officer
Responsible officerDirector Information Technology Services

Purpose

This Policy, together with its supporting Standards, Guidelines, Controls and Procedures defines the minimum cyber security requirements and advises the objectives, principles, and roles and responsibilities for giving effect to the University's Cyber Security Framework.

Organisational scope

All members of the University community must comply with this policy and are responsible for actively contributing to the security of the University.

This Policy applies to all University of Otago owned assets including University ICT , University Network, Services and Data.

Definitions

Controls
Any policies, procedures, practices, devices, configurations, and other measures designed to safeguard Information Security and mitigate potential loss.
Cyber Security
The protection of network-connected systems such as hardware, software, and data from cyberthreats. The practice is used by individuals and enterprises to protect against unauthorized access to data centres and other computer systems.
Cyber Security Framework (CSF)
Provides the overarching structured approach to Cyber Security and is implemented via this Policy and the supporting Standards, Guidelines, Controls and Procedures.
ICT Resources
Information and Communication Technology Resources provided by the University of Otago or provided by an individual or organisation but used for University of Otago official activities, including (but not limited to), access credentials, devices, software, information, data, telephones, mobile devices and mobile plans, video facilities, internet access, networks, web sites and other computer systems and the means to interact with them.
Information Asset
A definable piece of information, stored in any manner (Digital or Physical) which is recognisable as “valuable” to the organisation.
Information Security
The preservation of confidentiality, integrity, and availability of information. Additionally, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.
Information Security Event
An identified occurrence of a system, service or network state indicating a possible breach of Information Security policy or failure of safeguards, or a previously unknown situation that may be security relevant.
Information Security Incident
A single or a series of Information Security events that have a significant probability of compromising business operations and threatening Information Security.
Integrity of Information
Information that is accurate, complete, and valid and that has not been modified without authorisation.
ICT Systems
A collection of ICT assets that work in conjunction to perform an information or communication related function.
University Community
All University of Otago staff, students (whether permanent, temporary, or part-time), members of the Council of the University, honorary staff, or any other member of the University and any contractors, sub-contractors, consultants, or official visitors.

Content

  1. Objectives

    1. The objectives of this Policy with respect to the University of Otago are to:
      1. Safeguard the confidentiality and privacy of information by preventing the loss, authorised access, use, modification, or disclosure; or other misuse of information, including personal information (i.e. information about an identifiable person).
      2. Protect the integrity of information by preventing accidental or unauthorised deliberate alteration of information.
      3. Protect the University's fiduciary duty in respect of data or information which the University may possess or hold on behalf of others.
      4. Ensure availability of information by preventing accidental or unauthorised deliberate damage, destruction, or deletion of information.
      5. Ensure appropriate responsiveness to contain and address Information Security incidents whilst being able to continue business-as-usual activities.
      6. Establish responsibility and accountability for Information Security.
      7. Avoid breaches of any statutory, regulatory, contractual obligations and any other security requirements.
      8. Ensure a secure, efficient, and reliable technology environment exists for all staff and students to fulfil their roles and for achieving strategic objectives.
      9. Safeguard the confidentiality and privacy of information by preventing the loss; unauthorised access, use, modification, or disclosure; or other misuse of information, including personal information (i.e. information about an identifiable person).

  2. Principles

    1. The following principles apply to Information Security across the University of Otago:
      1. Information Security is the responsibility of all members of the University community that access University's information systems.
      2. Access to information assets is strictly controlled and a principle of need to know and least privilege will be applied.
      3. IT network perimeter and infrastructure is protected from malicious intent in line with commercial, regulatory and compliance requirements.
      4. Critical information assets are categorised according to sensitivity and protected accordingly.
      5. Systems and applications are developed, procured, and maintained securely throughout their lifecycle.
      6. Disruption to the academic research and teaching activities is minimised by preventing and reducing the impact of Information Security incidents.
      7. Technology risks associated with their ICT systems are regularly identified, assessed, managed, and mitigated.

  3. Roles and responsibilities

    1. Information Security is the responsibility of all members of the University community during and as appropriate after, their engagement with the University of Otago.
    2. The Audit and Risk Committee, which is a University Council committee, is responsible for:
      1. providing oversight and monitoring, including through receipt of regular management reports, of University of Otago's Information Security status and obtaining assurance from internal and external information systems auditors.
    3. The Vice-Chancellor is responsible for:
      1. advocating cultural values that promote and safeguard the security, integrity and confidentiality of information, systems, and networks.
      2. advocating for national data sovereignty in relation to data and information which might be of importance to the nation state.
      3. advocating for indigenous data sovereignty in relation to data and information which might be of importance to indigenous peoples.
    4. The Chief Operating Officer is responsible for:
      1. approving the allocation of resources for Information Security efforts.
      2. ensuring availability of adequate resources for the establishment of effective compliance and monitoring mechanisms, training, and education around Information Security.
    5. The Director of Information Technology Services is responsible for:
      1. approving Information Security related standards, procedures, and guidelines.
      2. providing leadership and guidance for the implementation of a University of Otago wide Information Security framework consisting of policies and standards, guidelines, and procedures.
      3. leading the development and implementation of a University of Otago Information Security strategy aligned with University of Otago's strategic objectives.
      4. promoting University of Otago wide Information Security awareness.
    6. The Head of Cyber Security and IT Assurance is responsible for:
      1. developing the University of Otago Information Security Strategy.
      2. developing, implementing, and communicating the Information Security policies and standards, guidelines, and procedures.
      3. ensuring that individual roles and responsibilities for Information Security management and Information Security operations are clearly identified, communicated, and understood.
    7. The Owners of Information Assets are accountable for:
      1. promoting security awareness within their area.
      2. ensuring compliance with all Information Security policies and standards.
      3. ensuring divisional/departmental procedures support the confidentiality, integrity, and availability of information as defined by the University of Otago Information Security policies, standards, and guidelines.
      4. ensuring appropriate continuity planning is carried out and that appropriate business continuity and disaster recovery capability and response is in place for the Information Security services provided.
      5. assessing, managing, and monitoring risks as appropriate across all information assets
      6. ensuring each staff and student understands their Information Security responsibilities within that division / department.
    8. The System Managers of Information Assets are responsible for:
      1. promoting security awareness within their area.
      2. ensuring compliance with the Information Security policy and related ICT policies and standards.
      3. ensuring continuity recovery planning is carried out and that appropriate business continuity and disaster recovery capability and response is in place for the Information Security services provided.
      4. assessing, managing, and monitoring risks as appropriate across all information assets.
    9. All Members of the University Community are responsible for:
      1. knowing and understanding their Information Security responsibilities
      2. complying with all relevant Information Security policies and standards of behaviour in safeguarding University of Otago's Information Security
      3. reporting any breach of personal and/or confidential information.

  4. Breach of policy

    1. Breach of this Policy and/or supporting Information Security policies and standards may result in the loss of access to ICT resources and/or disciplinary action.
    2. Any member of the University community who wishes to raise a concern or report a breach of this Policy should advise their manager, academic supervisor, Head of IT Assurance and Cyber Security; or disclose such incidents in the manner outlined in the University of Otago Ethical Behavior Policy.

Related policies, procedures and forms

For further information regarding relevant Information Security policies, standards, procedures, and guidelines, please refer to the Information and Communications Technology Policy Library:

Policy Library: Information and Communications Technology

Contact for further information

If you have any queries regarding the content of this policy or need further clarification, contact the Head of IT Assurance and Cyber Security:

Umair Zia
Email umair.zia@otago.ac.nz

Back to top