1. ​Purpose

This Security Policy outlines the security principles of New Zealand eScience Infrastructure (NeSI). It governs the design, operation, and delivery of all NeSI services and capabilities. NeSI is committed to delivering secure, high-performing, and flexible eResearch computing and data services.

2. Owner

Owned by         NeSI Director

Content manager     Chief Information Security Officer

Approved by         NeSI Board

Date approved         01 November 2023

Review date         19 September 2024

3. Scope

This policy applies to all NeSI staff, users, third parties (including, but not limited to contractors, consultants, and volunteers), or anyone using NeSI systems, services, or infrastructure. It applies to all NeSI information and those who create, access, process, transmit, or store NeSI Information.

4. Definitions

• Controls - Any policies, procedures, practices, devices, configurations, and other measures designed to safeguard information security and mitigate potential loss
• Incident - Any breach, event, exposure, loss, or compromise of NeSI Information, NeSI System, or User Information.
• Information Security - The assurance that the confidentiality, integrity, and availability of all NeSI Information, User Information, and NeSI Systems are maintained to the appropriate degree and provides assurance that Information NeSI Information and User Information is only accessible by authorized users
• NeSI Information - Any non-public information created or managed by NeSI, but does not include User Information 
• NeSI Systems - Any system that stores, processes, or transmits NeSI Information or User Information
• Project Owner - The individual responsible for and accountable for User Information contained within a project
• Software - Applications, services, operating systems, web applications, databases, or other tools used on NeSI Systems 
• User - An individual who accesses a NeSI System 
• User Information - Information provided by the user and hosted on a NeSI System

5. Security Principles

5.1. Information Security is the responsibility of all members of the NeSI community that access NeSI Systems.

5.2. All Users are responsible for protecting their NeSI credentials against unauthorized use.

5.3. NeSI systems must not be used in a manner that violates NeSI policies, agreements, or contracts.

5.4. All NeSI Systems and systems storing NeSI Information and User Information must be protected, have documented controls, and monitor against improper access both electronic and physical.

5.5. Access to NeSI Information is strictly controlled and will only be made available to individuals who have a legitimate need.

5.6. Access to NeSI Information or NeSI Systems shall be revoked when access is no longer needed.

5.7. Access to User Information is strictly controlled and must be authorised by the Project Owner or their designee.

5.8. Software must be updated on all NeSI Systems and systems storing NeSI Information or User Information.

5.9. NeSI will protect NeSI Information against loss and corruption and provide capabilities and training for Users to protect User Information against loss and corruption.

5.10. NeSI will create, manage, and dispose of NeSI Information in accordance with legal obligations under New Zealand law.

5.11. NeSI will manage incidents in accordance with our Incident Management guidelines ensuring timely and appropriate communications, prompt and comprehensive response, investigation, recovery, and resolution.

5.12. NeSI must conduct appropriate due diligence on NeSI Systems that will store or have access to NeSI information or User Information.

5.13. Information Security risks to NeSI Information, User Information, or NeSI Systems are regularly identified, assessed, and managed in accordance with our risk management practices. 

5.14. NeSI team members must complete annual security training relevant to their roles and responsibilities.

5.15. All changes to NeSI Systems will be handled in accordance with our Change Control Procedure.

5.16. NeSI will strive to store and process all NeSI Information and User Information within New Zealand's legal jurisdiction.

5.17. Any actual or suspected loss, theft, or improper use of or access to, NeSI Information, NeSI systems, or User Information must be reported.

5.18. NeSI will take a collaborative and iterative approach to the rapidly changing and evolving Information Security landscape.

6. Governance

This Security Policy will be reviewed annually and amendments may be submitted to the Board of Directors for approval from time to time by the NeSI Chief Information Security Officer.

7. Roles and Responsibilities

7.1 NeSI User Responsibilities

7.1.1. Agree to and adhere to the NeSI Acceptable Use Policy and follow relevant supporting procedures and guidelines.

7.1.2. Access User Information they have a legitimate need to and not knowingly attempt to gain access to other information.

7.1.3. Report any identified or suspected Information Security incident.

7.2. NeSI Project Owner Responsibilities

7.2.1. Maintain up-to-date project access lists.

7.2.2. Approve new User access upon legitimate request.

7.2.3. Revoke User access immediately after the User no longer has a legitimate need to access User Information.

7.3 NeSI Team Responsibilities

7.3.1. Complying with relevant standards, practices, and guidelines.

7.3.2. Assisting the Chief Information Security Officer to identify and develop suitable Information Security standards, practices, and guidelines.

7.3.3. Managing and monitoring NeSI Systems for potential Information Security risks and threats.

7.4 NeSI Senior Leadership Team Responsibilities

7.4.1. Approving and maintaining service and product standards, practices, and guidelines.

7.4.2. Authorising and revoking access to NeSI Information based on roles and responsibilities. 

7.4.3. Evaluating and accepting Information Security risks.

7.4.4. Demonstrate commitment and promote Information Security best practices in their communications and behaviors

7.4.5. Ensure resources are available for implementation of people, process, and tooling to uphold the Information Security practices in place to comply with this Policy.

7.5 NeSI Chief Information Security Officer (CISO) Responsibilities

7.5.1. Drafting and maintaining this and other relevant Security Policies.

7.5.2. Promoting the importance of Information Security to NeSI staff, NeSI users, and the broader community.

7.6 NeSI Chief Executive Officer / Director Responsibilities

7.6.1. Has overall accountability for Information Security and is responsible for representing Information Security risks to the Board of Directors, with support from the CISO where appropriate.

7.6.2. May delegate, in writing, to another person any of the responsibilities but retains overall accountability for NeSI Information Security.

7.6.3. Appoint a Chief Information Security Officer and support them in their responsibilities.

7.7 NeSI Board of Directors

7.7.1. Approving and providing guidance on this and other NeSI policies.

8. Supporting Documents

This policy and the supporting Controls are aligned with the rationale and objectives of the following; 

8.1. NeSI recognises the relationship between the Crown, and hapū, iwi, and Māori citizens, which is governed by Te Tiriti o Waitangi. The articles of Te Tiriti provide for:

• kāwanatanga – the governing of Aotearoa New Zealand by the Crown (Article 1)
• tino rangatiratanga – Māori, hapū and iwi having control over their resources, culture and communities (Article 2). (We use tino rangatiratanga to refer to hapū and iwi who were co-signatories of Te Tiriti with the Crown.)
• ōritetanga – Māori having equal rights, as citizens of Aotearoa New Zealand (Article 3).

8.2. New Zealand Privacy Act of 2020

8.3. NeSI Privacy Policy

8.4. New Zealand Information Security Manual NZISM

8.5. National Institute of Standards and Technology Cyber Security Framework

Version History