Red X iconGreen tick iconYellow tick icon
Skip to main content
Category Information & Communications Technology
Type Policy
Approved by Vice-Chancellor
Date Policy Took Effect 30 May 2023
Last approved revision17 November 2025
Sponsor Chief Digital Officer
Responsible officer Head of Cyber Security and Identity

Purpose

To define, together with its supporting Framework, Standards, Procedures, and Guidelines, Cyber Security accountabilities, responsibilities, and minimum level of cyber security controls across the University.

Organisational scope

All members of the University Community must comply with this policy and are responsible for actively contributing to the Cyber Security of the University.

This Policy applies to all University of Otago owned assets including University ICT Resources, the University network, services and data.

Definitions

Associated Entity
An external organisation or company that is connected to the University and may have access to the University’s ICT Resources or Information Assets.
Audit and Risk Committee (ARC)
A University Council committee.
Business Owner
The person responsible for the value and outcomes a digital system provides to the organisation.
Controls
Any policies, procedures, practices, devices, configurations and other measures designed to safeguard the University.
Cyber Security
The protection of systems such as hardware, software, data, and people from cyberthreats. The practice is used to protect against unauthorized, malicious, or accidental access, disruption and theft.
Cyber Security Framework (CSF)
The overarching structed approach to Cyber Security and is implemented via this Policy and the supporting Standards, Procedures, and Guidelines.
Cyber Security Event
An identified occurrence of a system, service or network state indicating a possible breach of cyber security policy or failure of safeguards, or a previously unknown situation that may be security relevant.
Cyber Security Incident
An event that results in a breach of an explicit or implied digital security policy that requires corrective action as it threatens the confidentiality, availability and/or integrity of an information system or the information that the system processes, stores or transmits.
Digital Technology Committee (DTC)
A University Council Committee.
ICT Resources
The Information and Communication Technology (ICT) Resources provided by the University of Otago or provided by an individual or organisation but used for University of Otago official activities, including (but not limited to), access credentials, devices, software, information, data, telephones, mobile devices and mobile plans, video facilities, internet access, networks, web sites and other computer systems and the means to interact with them.
Information Asset
A definable piece of information, stored in any manner (Digital or Physical) which is recognisable as “valuable” to the organisation.
Technical Owner
The person responsible for the operation, security, and technical performance of the system. They manage the system’s architecture, maintenance, upgrades, and day-to-day technical support to keep the service operating.
University Community
Includes all University of Otago staff members (whether permanent, temporary, full or part time, emeritus or honorary), all members of the Council of the University, students (whether full time or part time), contractors, subcontractors, consultants, alumni, associates, business partners or official visitors or guests of members of the University.

Content

  1. Principles

    1. The following principles apply to Cyber Security across the University of Otago. Members of the University Community:
      1. will strengthen Cyber Security through good governance supported by both individual and shared Cyber Security responsibilities across the University.
      2. will prioritise practical Cyber Security Controls over a compliance-first approach. Where required the University will meet legal, compliance and regulatory obligations.
      3. will manage our ICT Resources and Information Assets effectively by knowing what they are, their value and addressing the risks they face.
      4. will protect people and assets in ways that prevent harm and promote secure behaviours across the University Community.
      5. will maintain visibility and oversight across our environment to ensure prompt, and where possible, proactive detection and response to security events.
      6. are encouraged to report Cyber Incidents and Cyber Events   our focus is on learning and improving our defences.
      7. will respond to Cyber Incidents swiftly and effectively, prioritising containment, recovery and continuity of University operations.

  2. Roles and responsibilities

    1. The Digital Technologies Committee (DTC) is accountable for the oversight and monitoring of the University’s Cyber Security maturity and capabilities.
    2. The Audit and Risk Committee (ARC) is responsible for providing the assurance of the University’s Cyber Security risk, including strategic and Division risks and for obtaining assurance from internal and external auditors.
    3. The Vice-Chancellor (VC) is responsible for modelling and advocating for the Cyber Security principles, including advocating for the safeguard of University Information Assets. The VC is also responsible for advocating for data sovereignty in relation to data and information which holds cultural and strategic important to New Zealand.
    4. The Chief Operating Officer (COO) is accountable for approving the allocation of resources for Cyber Security.
    5. The Chief Digital Officer (CDO) is responsible for approving the Cyber Security Framework, standards, procedures, and guidelines. And accountable for the security and cyber risk of managed ICT Resources and Information Assets.
    6. Respective University Senior Leadership Team members are accountable for the security and cyber risk for ICT Resources and Information Assets where they or their Division are the Business Owner of those resources and assets.
    7. Where Associated Entities manage their own ICT Resources, and those resources utilise or connect to a University ICT Resource or Information Asset, accountability for maintaining the security and active management of risk lies with the Chief Executive or equivalent of that entity.
    8. The Head of Cyber Security and Identity is responsible for the overall management of the University’s cyber security framework, resources, controls, and cyber risk management. This includes determining which security controls are required for University ICT Resources and Information Assets, and ensuring those controls are implemented appropriately.
    9. The Technical Owners of ICT Resources and Information Assets are responsible for ensuring compliance with all applicable Cyber Security policies, controls, standards, procedures and guidelines.
    10. All Members of the University Community have individual and shared cyber security responsibilities. All members must be familiar and comply with the Cyber Security policies, controls, standards, procedures and guidelines that are relevant to their roles.

  3. Breach of policy

    1. Breach of this Policy and/or supporting policies may result in the loss of access to ICT Resources and/or disciplinary action being taken. Any concerns or breaches will be investigated in accordance with the Ethical Behaviour Policy
    2. Any member of the University Community who wishes to raise a concern or report a breach of this Policy should contact Cyber Security and Identity (CSI).
    3. CSI works with other University areas (such as Human Resources, Proctor’s Office, Office of the Registrar and Secretary to the Council, Office of Risk Audit and Compliance, etc.) when undertaking or assisting with any investigation.

  4. Exemptions

    1. There may be situations where exceptions to this Policy are necessary due to academic, research, operational, security or business-critical reasons. In such a situation, an exemption must be requested by contacting Cyber Security and Identity (CSI).

Related policies, procedures and forms

For further information regarding relevant Cyber Security policies, standards, procedures, and guidelines, please refer to the Information and Communications Technology Section of the Policy Library

Policy Library: Information and Communications Technology

Contact for further information

If you have any queries regarding the content of this policy, need further clarification, or wish to report a breach or request an exemption, contact:

Cyber Security and Identity (CSI)
Email cybersecurity@otago.ac.nz

Back to top