ҕl Cyber Security Strategy
The ҕl Cyber Security Strategy has been created to translate the direction, guidance and intent of the University into clearly defined principles, governance, frameworks and a roadmap that ensures the investments made in cybersecurity improves the cyber resilience and enable the strategic goals of the University.
The Cyber Security Strategy provides a clear line of sight from the University goals and objectives and ensures alignment with any improvement initiatives delivered through the Cybersecurity Programme. Improving and maintaining the cybersecurity of ҕl is a challenge for the entire organisation and not just IT or the security team. This is reflected in the fact that the Cybersecurity Strategy informs not just security initiatives but also wider technology and organisation activities.
Cyber security continuous improvement
The technology, organisational and threat landscape continually evolves. This likewise means that cybersecurity needs to evolve and align to enable the University. This needs a cycle of continuous improvement and validation. ҕl will maintain its commitment to continuous cybersecurity improvement and not consider this a problem that can be "fixed" and then focus on other issues. With the speed of change within the organisation and the threat landscape, ҕl cannot and will not lose focus on cybersecurity.
ҕl Strategy
What is important to ҕl?
ҕl Strategic Goals:
- Engagement
- Research
- Education
- People
- Efficacy
- Internationalisation
- Sustainability
What are the strategic outcomes of cyber security?
- Enable and empower ҕl to deliver its Strategic plans through collaboration, engagement and proactive stewardship of cybersecurity.
- Support the management of ҕl's cyber risk exposure through cost-effective measures.
- Demonstrate trust and confidence in Digital services by continuously protecting ҕl from harm against evolving cyber risks and threats.
- To be recognised as an industry leader in the development of cybersecurity talent.
What are the strategic objectives of cyber security?
- Mature the cybersecurity capabilities of ҕl whilst ensuring a frictionless security experience.
- Deliver ҕl solutions and capabilities in line with cybersecurity best practices and industry standards.
- Embed cybersecurity into ҕl’s culture by cultivating a collaborative approach that brings together the University community.
- Safeguard ҕl’s operational resilience.
Risk & Security Relationship model
Cyber security vision
Enable ҕl to support its teaching, learning and research outcomes and vision by embedding a positive security culture in everything we do and safely guide business decisions to protect us from cyber threats
Cyber security principles
- Breadth Before Depth: We will establish visibility and understanding of the organisational and threat landscape to ensure that decisions are prioritised in context.
- Risk Informed, Threat Aligned: All investments will be made with an awareness of the threats faced
- Defence in Depth: All controls should support effective defence in depth and must be aligned to identified threats with measurable outcomes.
- Ensure Compliance: Compliance requirements will be identified and included in any new capabilities, systems or services.
- Secure By Design: Everything developed, designed or subscribed to will be securely architected, designed, implemented and operated.
- Safety First: We will ensure that we prioritise investments that ensure the safety and security of our staff and our students.
- Continuously Improve: Cyber resilience is a process of continuous improvement through layers of refinement and enhancement.
- Zero Trust Journey: Ensure that alignment with the zero trust journey and the authentication and validation of every interaction.
Cyber security governance
Effective linkage between operational activities and the cybersecurity programme are guided through effective governance. This is established through the key forums defined below.
Cyber security framework
- ҕl has selected the NIST Cybersecurity Framework (CSF) to provide structure and context for the security controls deployed across the organisation.
- The definition of controls is based on ISO27001 and where needed, NIST 800-53 and the NZ PSR.
- Our controls are explained and mandated through our policies, standards and guidelines.
- We will deliver our controls improvements and continually maintain them through our Cybersecurity Programme.
Policies & Standards
- Information Security Policy
- Acceptable Use Policy
- Asset Management Standard
- Information Classification and Handling Standard
- Vulnerability Management Standard
- Secure Operations Standard
- Third-Party Risk Management Standard
- Sharing and Collaboration Standard
- Cloud Services Standard
- Encryption Standard
- Identity and Access Management Standard
- End User Device Management Standard
- System Acquisition and Development Standard
Security architecture
Assurance framework
Having a consistent measurement of information security controls using a combination of internal and external assurance provides a clear measure of current performance.
+ All assurance activity should be based on the agreed Cybersecurity Framework controls.
+ This ensures consistent reporting and representation of compliance and maturity.
+ Internal and external audit activity should be aligned to achieve maximum scope.
+ Wherever possible assessment should be automated based on agreed metrics.
+ Any audit and testing results should provide balanced input into the information security programme.