Menu

Wananga landing Wananga landing
Topic

Cyber security controls

02 September 2024

The University of Canterbury implements a defence-in-depth approach to information security and employs a multitude of cyber security controls to protect our infrastructure and data. These controls are aligned to National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the ISO 27001 standard. 

HOW TO APPLY

Objective:

 To limit access to information and information processing facilities and ensure authorised user access and to prevent unauthorised access to systems and services. Also, to make users accountable for safeguarding their authentication information and prevent unauthorised access to systems and applications. 

Control implementation overview: 

  • All University user accounts follow industry best practice identity management guidelines e.g. the use of Single-Sign-On, Multi-Factor-Authentication (MFA) 

  • Privileged IT access management follows industry best practices 

  • Managed end-user devices (computing and mobile devices) and Virtual Private Network (VPN) access provided to all staff 

  • Adherence to the Identity and Access Management Standard 

Objective: 

To identify organisational data and technology assets and define and implement appropriate levels of protection responsibilities and controls. 

Control implementation overview: 

  • IT Asset management practices aligned with industry tools and frameworks 

  • Data encryption best practices implemented in a managed IT environment 

  • Secure physical storage of core IT equipment within University managed facilities 

Objective: 

Information security continuity shall be embedded in the organisation's business continuity management systems and to ensure availability of information processing facilities. 

Control implementation overview: 

  • University enterprise business continuity and crisis management framework implemented following industry best practice 

  • Resilience in the managed IT environment is designed and implemented to ensure continuous operations of key enterprise IT services and systems 

Objective: 

To ensure the protection of information in networks and its supporting information processing facilities. 

Control implementation overview: 

  • Industry best practice network security protection and detection controls and capabilities support the managed IT environment 

  • Dedicated IT network management capability to ensure the best practice management of all network communications infrastructure across the managed IT network (including network infrastructure device configuration, deployment and management) 

  • Virtual Private Network (VPN) mechanisms provided where applicable to secure access to enterprise IT services and systems 

Objective: 

To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements and to ensure that information security is implemented and operated in accordance with the organisational policies and procedures. 

Control implementation overview: 

  • Regular internal cyber security management and security control maturity assessments are conducted across the managed IT environment 

  • The University Internal Audit capability reviews the cyber security management and security control maturity of the University on a periodic basis 

  • Independent regulatory security management audits are conducted on an periodic basis (based on the relevant regulatory scope) 

  • Independent industry security certification audits are conducted on a regular basis (based on relevant University security certifications ) including  PCI DSS security compliance  

Objective: 

To establish a management framework to initiate and control the implementation and operation of information security within the organisation. 

Control implementation overview: 

  • University Cybersecurity and Risk capability and the associated cyber security functions and services it provides to the University 

  • University cyber security policies and procedures 

  • University cyber security standards 

Objective: 

To provide management direction and support for information and cyber security in accordance with business requirements and relevant laws and regulations. 

Control implementation overview: 

  • University cyber security policies and procedures 

  • University cyber security standards 

  • Regular periodic review and update of cyber security policies, procedures and standards to ensure they continue to support business, regulatory and legal requirements and the cyber security risk and threat landscape 

Objective: 

To ensure proper and effective use of encryption to protect the confidentiality, authenticity and/or integrity of information. 

Control implementation overview: 

  • Centralised management of SSL certificates for University web domains 

  • Encryption of data implemented for enterprise managed end user devices 

  • Industry best practice encryption protocols and mechanisms implemented for enterprise managed IT compute and storage hosting platforms 

Objective: 

To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. 

Control implementation overview: 

  • Enterprise Human Resources capability which governs and supports HR activities across the University 

  • University HR policies and procedures 

  • Employment contracts/agreements (including confidentiality and intellectual property requirements) 

  • Employment screening processes (as governed by University HR policies and procedures) 

  • Employment on-boarding and offboarding processes (as governed by University HR policies and procedure 

Objective: 

To ensure correct and secure operations of information processing facilities, to protect against loss of data and to record events and generate evidence. 

Control implementation overview: 

  • Enterprise grade antivirus and anti-malware detection, prevention and recovery technology across lT managed devices 

  • Technical vulnerability management program and supporting tools implemented across the managed IT environment (including vulnerability scanning, vulnerability disclosure program, bug bounty program) 

  • Security penetration testing capabilities applied to verify the technical security posture of enterprise IT service and infrastructure in a risk-based manner 

  • Security threat identification, monitoring and response capabilities based on industry best practice frameworks 

  • IT change management procedures and processes embedded into the managed enterprise IT environment in alignment with industry best practices (including change management and release procedures, change advisory board (CAB) and change management records etc. 

  • Operational monitoring of the managed IT environment to ensure appropriate IT system and platform health and resilience 

  • Standard patch management processes based on industry best practice for managed end-user devices, IT hosting platforms and core IT infrastructure 

Objective: 

To prevent unauthorised physical access, damage and interference to the organisation's information and information processing facilities and to prevent loss, damage, theft or compromise of assets and Interruption to the organisation’s operations. 

Control implementation overview: 

  • Use of commercial grade ISO 27001 certified data centre hosting providers within New Zealand for the storage of core IT equipment 

  • Use of commercial grade ISO 27001 certified cloud hosting providers for managed cloud platform services 

  • Centralised physical security management and support services provided by the University Facilities Security Services capability 

  • Implementation of standard physical security access and monitoring controls across all University offices and buildings (including electronic building access management, 24/7 CCTV monitoring and security guard services etc.) 

  • Implementation of standard environmental management and monitoring controls across all University offices and buildings (including managed heating, cooling, lighting etc.) 

Objective: 

To ensure protection of the organisation's assets that are accessible by suppliers. To maintain an agreed level of information security and service delivery in line with supplier agreements. 

Control implementation overview: 

  • Standard University data security and data privacy requirements are considered within contractual agreements with external suppliers 

  • Supplier delivery and commercial management processes in place to ensure that suppliers continue to perform and meet the requirements of the supplier agreements 

Objective: 

To ensure that information security is an integral part of information systems across the entire system development and maintenance lifecycle. 

Control implementation overview: 

  • Specific security awareness and secure code development training for development capabilities and resources 

  • Implementation of industry best practice approaches to secure development life cycle practices (e.g.  secure code training, security testing, and communities of practice etc.) 

  • IT change management procedures and processes embedded into the s managed enterprise IT environment in alignment with industry best practices (including change management and release procedures, change advisory board (CAB) and change management records etc.) 


Privacy Preferences

By clicking "Accept All Cookies", you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts.