Cyber security controls
The University of Canterbury implements a defence-in-depth approach to information security and employs a multitude of cyber security controls to protect our infrastructure and data. These controls are aligned to National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the ISO 27001 standard.
Objective:
To limit access to information and information processing facilities and ensure authorised user access and to prevent unauthorised access to systems and services. Also, to make users accountable for safeguarding their authentication information and prevent unauthorised access to systems and applications.
Control implementation overview:
All University user accounts follow industry best practice identity management guidelines e.g. the use of Single-Sign-On, Multi-Factor-Authentication (MFA)
Privileged IT access management follows industry best practices
Managed end-user devices (computing and mobile devices) and Virtual Private Network (VPN) access provided to all staff
Adherence to the Identity and Access Management Standard
Objective:
To identify organisational data and technology assets and define and implement appropriate levels of protection responsibilities and controls.
Control implementation overview:
Guidance on information classification and the acceptable use of University assets via the: Information Classification and IT Acceptable Use Procedures
HR policies and procedures governing the access to, use of and return of University assets
IT Asset management practices aligned with industry tools and frameworks
Data encryption best practices implemented in a managed IT environment
Secure physical storage of core IT equipment within University managed facilities
Objective:
Information security continuity shall be embedded in the organisation's business continuity management systems and to ensure availability of information processing facilities.
Control implementation overview:
University enterprise business continuity and crisis management framework implemented following industry best practice
Resilience in the managed IT environment is designed and implemented to ensure continuous operations of key enterprise IT services and systems
Objective:
To ensure the protection of information in networks and its supporting information processing facilities.
Control implementation overview:
Industry best practice network security protection and detection controls and capabilities support the managed IT environment
Dedicated IT network management capability to ensure the best practice management of all network communications infrastructure across the managed IT network (including network infrastructure device configuration, deployment and management)
Virtual Private Network (VPN) mechanisms provided where applicable to secure access to enterprise IT services and systems
Objective:
To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements and to ensure that information security is implemented and operated in accordance with the organisational policies and procedures.
Control implementation overview:
Regular internal cyber security management and security control maturity assessments are conducted across the managed IT environment
The University Internal Audit capability reviews the cyber security management and security control maturity of the University on a periodic basis
Independent regulatory security management audits are conducted on an periodic basis (based on the relevant regulatory scope)
Independent industry security certification audits are conducted on a regular basis (based on relevant University security certifications ) including PCI DSS security compliance
Objective:
To establish a management framework to initiate and control the implementation and operation of information security within the organisation.
Control implementation overview:
University Cybersecurity and Risk capability and the associated cyber security functions and services it provides to the University
University cyber security policies and procedures
University cyber security standards
Objective:
To provide management direction and support for information and cyber security in accordance with business requirements and relevant laws and regulations.
Control implementation overview:
University cyber security policies and procedures
University cyber security standards
Regular periodic review and update of cyber security policies, procedures and standards to ensure they continue to support business, regulatory and legal requirements and the cyber security risk and threat landscape
Objective:
To ensure proper and effective use of encryption to protect the confidentiality, authenticity and/or integrity of information.
Control implementation overview:
Centralised management of SSL certificates for University web domains
Encryption of data implemented for enterprise managed end user devices
Industry best practice encryption protocols and mechanisms implemented for enterprise managed IT compute and storage hosting platforms
Objective:
To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
Control implementation overview:
Enterprise Human Resources capability which governs and supports HR activities across the University
University HR policies and procedures
Employment contracts/agreements (including confidentiality and intellectual property requirements)
Employment screening processes (as governed by University HR policies and procedures)
Employment on-boarding and offboarding processes (as governed by University HR policies and procedure
Objective:
To ensure correct and secure operations of information processing facilities, to protect against loss of data and to record events and generate evidence.
Control implementation overview:
Enterprise grade antivirus and anti-malware detection, prevention and recovery technology across lT managed devices
Technical vulnerability management program and supporting tools implemented across the managed IT environment (including vulnerability scanning, vulnerability disclosure program, bug bounty program)
Security penetration testing capabilities applied to verify the technical security posture of enterprise IT service and infrastructure in a risk-based manner
Security threat identification, monitoring and response capabilities based on industry best practice frameworks
IT change management procedures and processes embedded into the managed enterprise IT environment in alignment with industry best practices (including change management and release procedures, change advisory board (CAB) and change management records etc.
Operational monitoring of the managed IT environment to ensure appropriate IT system and platform health and resilience
Standard patch management processes based on industry best practice for managed end-user devices, IT hosting platforms and core IT infrastructure
Objective:
To prevent unauthorised physical access, damage and interference to the organisation's information and information processing facilities and to prevent loss, damage, theft or compromise of assets and Interruption to the organisation’s operations.
Control implementation overview:
Use of commercial grade ISO 27001 certified data centre hosting providers within New Zealand for the storage of core IT equipment
Use of commercial grade ISO 27001 certified cloud hosting providers for managed cloud platform services
Centralised physical security management and support services provided by the University Facilities Security Services capability
Implementation of standard physical security access and monitoring controls across all University offices and buildings (including electronic building access management, 24/7 CCTV monitoring and security guard services etc.)
Implementation of standard environmental management and monitoring controls across all University offices and buildings (including managed heating, cooling, lighting etc.)
Objective:
To ensure protection of the organisation's assets that are accessible by suppliers. To maintain an agreed level of information security and service delivery in line with supplier agreements.
Control implementation overview:
Cybersecurity Assurance process and Privacy Impact Assessments support the procurement and use of externally managed IT services
Standard University data security and data privacy requirements are considered within contractual agreements with external suppliers
Supplier delivery and commercial management processes in place to ensure that suppliers continue to perform and meet the requirements of the supplier agreements
Objective:
To ensure that information security is an integral part of information systems across the entire system development and maintenance lifecycle.
Control implementation overview:
Cybersecurity Assurance process and Privacy Impact Assessments the the development, release or significant changes of IT services or systems within the managed environment
Cyber security standards and baselines support the design, development and implementation of IT systems
Specific security awareness and secure code development training for development capabilities and resources
Implementation of industry best practice approaches to secure development life cycle practices (e.g. secure code training, security testing, and communities of practice etc.)
IT change management procedures and processes embedded into the s managed enterprise IT environment in alignment with industry best practices (including change management and release procedures, change advisory board (CAB) and change management records etc.)