IT policy changes in response to cyber security environment

The IT Policy Framework has been reviewed and amended in response to an increasingly complex cyber security environment. Here, Alex Hanlon, Executive Director | Kaihautū Matua, Learning Resources | Te Ratonga Rauemi Ako  highlights  some of the important changes.

UC wishes to increase our monitoring of computer use – this will affect you and any device, UC or otherwise, that you might use to work on.

• The IT Policy Framework (“the Policy”) is the overarching document that describes the relationship between the IT services provided by the University.

• The Internet Usage Policy defines what the University considers appropriate usage of the internet and how access to the internet will be managed and monitored.

These Policies are reviewed annually in response to changing demands.

As you will be aware, the cyber-security landscape is constantly evolving. As a result of this increasing threat, it has become necessary to increase our defences with regards to the threats posed by those who misuse technology against individuals and organisations.

With this in mind, the Policy has been updated to encompass further measures around enforcement and monitoring to ensure that the UC IT environment is more safe and secure. The updated policy has been approved by the University Senior Management Team.

The Policy has always permitted IT Services to undertake monitoring, but the scope and circumstances of that monitoring have been less than what is now proposed. IT Services will now be continually and increasingly monitoring all aspects of the University’s IT systems and devices that are connected to these systems. This means that IT Services will use a range of monitoring tools to constantly scan for, and check characteristics of all files and devices that use the UC network, and our IT systems.

There are two main areas of the policy that have changed;

1. The first is in the case of non-University owned devices. You are no longer encouraged to connect your own devices to University network and IT systems (although there is no prohibition on you doing so), however if you do connect your own devices to the University IT systems, you must accept that non-UC devices are subject to monitoring, and if necessary, investigation. All investigations will continue to be carried out in accordance with UC procedures which take account of UC’s privacy obligations.

2. The Policy makes clear that University IT resources are not provided for personal use purposes; anything that you have on any University-provided system that you might consider “personal” (including files, photos, music and video) is subject to monitoring and investigation. For the avoidance of doubt, the scope includes the University email systems.

UC appreciates that these changes will have far-reaching consequences, and therefore system-wide monitoring under the IT Policy Framework and Internet Usage Policy will not take immediate effect, but will come into force on 1 January 2019.

We encourage you to take the opportunity to remove any personal files/emails that you do not want to be the subject of the University monitoring activities before the summer holidays.

As part of our increasingly aggressive cyber-defence approach, the University is also trying to make everyone aware of cyber-risks that we are all subject to; you will begin to see posters, Intercom and Insider’s Guide posts, information on digital usage, all providing tips on how to help you identify threats and to reduce your own cyber risk profile and flow on effects to UC network and IT systems.

Keep an eye out for future updates.

For further information please contact Andy Keiller, Chief Information Officer: andy.keiller@canterbury.ac.nz.