Cyber security controls
The University of mini传媒 implements a defence-in-depth approach to information security and employs a multitude of cyber security controls to protect our infrastructure and data. These controls are aligned to National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the ISO 27001 standard.鈥
Objective:
鈥疶o limit access to information and information processing facilities and ensure authorised user access and to prevent unauthorised access to systems and services. Also, to make users accountable for safeguarding their authentication information and prevent unauthorised access to systems and applications.鈥
Control implementation overview:鈥
All University user accounts follow industry best practice identity management guidelines e.g. the use of Single-Sign-On, Multi-Factor-Authentication (MFA)鈥
Privileged IT access management follows industry best practices鈥
Managed end-user devices (computing and mobile devices) and Virtual Private Network (VPN) access provided to all staff鈥
Adherence to the Identity and Access Management Standard鈥
翱产箩别肠迟颈惫别:鈥
To identify organisational data and technology assets and define and implement appropriate levels of protection responsibilities and controls.鈥
Control implementation overview:鈥
Guidance on information classification and the acceptable use of University assets via the:鈥
鈥痝overning the access to, use of and return of University assets鈥
IT Asset management practices aligned with industry tools and frameworks鈥
Data encryption best practices implemented in a managed IT environment鈥
Secure physical storage of core IT equipment within University managed facilities鈥
翱产箩别肠迟颈惫别:鈥
Information security continuity shall be embedded in the organisation's business continuity management systems and to ensure availability of information processing facilities.鈥
Control implementation overview:鈥
University enterprise business continuity and crisis management framework implemented following industry best practice鈥
Resilience in the managed IT environment is designed and implemented to ensure continuous operations of key enterprise IT services and systems鈥
翱产箩别肠迟颈惫别:鈥
To ensure the protection of information in networks and its supporting information processing facilities.鈥
Control implementation overview:鈥
Industry best practice network security protection and detection controls and capabilities support the managed IT environment鈥
Dedicated IT network management capability to ensure the best practice management of all network communications infrastructure across the managed IT network (including network infrastructure device configuration, deployment and management)鈥
Virtual Private Network (VPN) mechanisms provided where applicable to secure access to enterprise IT services and systems鈥
翱产箩别肠迟颈惫别:鈥
To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements and to ensure that information security is implemented and operated in accordance with the organisational policies and procedures.鈥
Control implementation overview:鈥
Regular internal cyber security management and security control maturity assessments are conducted across the managed IT environment鈥
The鈥疷niversity Internal Audit capability鈥痳eviews the cyber security management and security control maturity of the University on a periodic basis鈥
Independent regulatory security management audits are conducted on an periodic basis (based on the relevant regulatory scope)鈥
Independent industry security certification audits are conducted on a regular basis (based on relevant University security certifications ) including鈥 PCI DSS security compliance鈥
翱产箩别肠迟颈惫别:鈥
To establish a management framework to initiate and control the implementation and operation of information security within the organisation.鈥
Control implementation overview:鈥
University Cybersecurity and Risk capability鈥痑nd the associated cyber security functions and services it provides to the University鈥
University cyber security policies and procedures鈥
University cyber security standards鈥
翱产箩别肠迟颈惫别:鈥
To provide management direction and support for information and cyber security in accordance with business requirements and relevant laws and regulations.鈥
Control implementation overview:鈥
University cyber security policies and procedures鈥
University cyber security standards鈥
Regular periodic review and update of cyber security policies, procedures and standards to ensure they continue to support business, regulatory and legal requirements and the cyber security risk and threat landscape鈥
翱产箩别肠迟颈惫别:鈥
To ensure proper and effective use of encryption to protect the confidentiality, authenticity and/or integrity of information.鈥
Control implementation overview:鈥
Centralised management of SSL certificates for University web domains鈥
Encryption of data implemented for enterprise managed end user devices鈥
Industry best practice encryption protocols and mechanisms implemented for enterprise managed IT compute and storage hosting platforms鈥
翱产箩别肠迟颈惫别:鈥
To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.鈥
Control implementation overview:鈥
Enterprise Human Resources capability which governs and supports HR activities across the University鈥
University HR policies and procedures鈥
Employment contracts/agreements (including confidentiality and intellectual property requirements)鈥
Employment screening processes (as governed by University HR policies and procedures)鈥
Employment on-boarding and offboarding processes (as governed by University HR policies and procedure鈥
翱产箩别肠迟颈惫别:鈥
To ensure correct and secure operations of information processing facilities, to protect against loss of data and to record events and generate evidence.鈥
Control implementation overview:鈥
Enterprise grade antivirus and anti-malware detection, prevention and recovery technology across lT managed devices鈥
Technical vulnerability management program and supporting tools implemented across the managed IT environment (including vulnerability scanning, vulnerability disclosure program, bug bounty program)鈥
Security penetration testing capabilities applied to verify the technical security posture of enterprise IT service and infrastructure in a risk-based manner鈥
Security threat identification, monitoring and response capabilities based on industry best practice frameworks鈥
IT change management procedures and processes embedded into the managed enterprise IT environment in alignment with industry best practices (including change management and release procedures, change advisory board (CAB) and change management records etc.鈥
Operational monitoring of the managed IT environment to ensure appropriate IT system and platform health and resilience鈥
Standard patch management processes based on industry best practice for managed end-user devices, IT hosting platforms and core IT infrastructure鈥
翱产箩别肠迟颈惫别:鈥
To prevent unauthorised physical access, damage and interference to the organisation's information and information processing facilities and to prevent loss, damage, theft or compromise of assets and Interruption to the organisation鈥檚 operations.鈥
Control implementation overview:鈥
Use of commercial grade ISO 27001 certified data centre hosting providers within New Zealand for the storage of core IT equipment鈥
Use of commercial grade ISO 27001 certified cloud hosting providers for managed cloud platform services鈥
Centralised physical security management and support services provided by the鈥疷niversity Facilities Security Services鈥痗apability鈥
Implementation of standard physical security access and monitoring controls across all University offices and buildings (including electronic building access management, 24/7 CCTV monitoring and security guard services etc.)鈥
Implementation of standard environmental management and monitoring controls across all University offices and buildings (including managed heating, cooling, lighting etc.)鈥
翱产箩别肠迟颈惫别:鈥
To ensure protection of the organisation's assets that are accessible by suppliers. To maintain an agreed level of information security and service delivery in line with supplier agreements.鈥
Control implementation overview:鈥
support the procurement and use of externally managed IT services鈥
Standard University data security and data privacy requirements are considered within contractual agreements with external suppliers鈥
Supplier delivery and commercial management processes in place to ensure that suppliers continue to perform and meet the requirements of the supplier agreements鈥
翱产箩别肠迟颈惫别:鈥
To ensure that information security is an integral part of information systems across the entire system development and maintenance lifecycle.鈥
Control implementation overview:鈥
and the the development, release or significant changes of IT services or systems within the managed environment鈥
鈥痵upport the design, development and implementation of IT systems鈥
Specific security awareness and secure code development training for development capabilities and resources鈥
Implementation of industry best practice approaches to secure development life cycle practices (e.g.鈥痵ecure code training, security testing, and communities of practice etc.)鈥
IT change management procedures and processes embedded into the s managed enterprise IT environment in alignment with industry best practices (including change management and release procedures, change advisory board (CAB) and change management records etc.)鈥
