Security Policy

1. Purpose

This Security Policy outlines the security principles for the HPC Platform of Research and Education Advanced Network New Zealand (REANNZ). It governs the design, operation, and delivery of all REANNZ HPC services and capabilities. REANNZ is committed to delivering secure, high-performing, and flexible eResearch computing and data services.

2. Scope

This policy applies to all REANNZ staff, users, third parties (including, but not limited to contractors, consultants, and volunteers), or anyone using REANNZ HPC systems, services, or infrastructure. It applies to all REANNZ information and those who create, access, process, transmit, or store REANNZ Information.

3. Definitions

• Controls - Any policies, procedures, practices, devices, configurations, and other measures designed to safeguard information security and mitigate potential loss
• Incident - Any breach, event, exposure, loss, or compromise of REANNZ Information, REANNZ HPC System, or User Information.
• Information Security - the assurance that the confidentiality, integrity, and availability of all REANNZ Information, User Information, and REANNZ HPC Systems are maintained to the appropriate degree and are only accessible by authorised users
• REANNZ Information - is any non-public information created or managed by REANNZ, but does not include User Information.
• REANNZ HPC Systems - Any system that stores, processes, or transmits REANNZ Information or User Information
• Project Owner - The individual responsible for and accountable for User Information contained within a project.
• Software - applications, services, operating systems, web applications, databases, or other tools used on REANNZ HPC Systems
• User - An individual who accesses a REANNZ HPC System
• User Information - Information provided by the user and hosted on a REANNZ HPC System

4. Security Principles

1. This policy is guided by the following security principles:
   1. Information Security is the responsibility of all members of the REANNZ community that access REANNZ HPC Systems.
   2. All Users are responsible for protecting their REANNZ HPC credentials against unauthorised use.
   3. REANNZ HPC systems must not be used in a manner that violates REANNZ policies, agreements, or contracts.
   4. All REANNZ HPC Systems and systems storing REANNZ Information and User Information must be protected, have documented controls, and monitor against improper access both electronic and physical.
   5. Access to REANNZ Information is strictly controlled and will only be made available to individuals who have a legitimate need.
   6. Access to REANNZ Information or REANNZ HPC Systems shall be revoked when access is no longer needed.
   7. Access to User Information is strictly controlled and must be authorised by the Project Owner or their designee.
   8. Software must be updated on all REANNZ HPC Systems and systems storing REANNZ Information or User Information.
   9. REANNZ will protect REANNZ Information against loss and corruption and provide capabilities and training for Users to protect User Information against loss and corruption.
   10. REANNZ will create, manage, and dispose of REANNZ Information in accordance with legal obligations under New Zealand law.
   11. REANNZ will manage incidents in accordance with our Incident Management guidelines ensuring timely and appropriate communications, prompt and comprehensive response, investigation, recovery, and resolution.
   12. REANNZ must conduct appropriate due diligence on REANNZ HPC Systems that will store or have access to information or User Information.
   13. Information Security risks to REANNZ Information, User Information, or REANNZ HPC Systems are regularly identified, assessed, and managed in accordance with our risk management practices.
   14. REANNZ team members must complete annual security training relevant to their roles and responsibilities.
   15. All changes to REANNZ HPC Systems will be handled in accordance with our Change Control Procedure.
   16. REANNZ will strive to store and process all REANNZ Information and User Information within New Zealand's legal jurisdiction.
   17. Any actual or suspected loss, theft, or improper use of or access to, REANNZ Information, REANNZ HPC systems, or User Information must be reported.
   18. REANNZ will take a collaborative and iterative approach to the rapidly changing and evolving Information Security landscape.

5. Governance

This Security Policy will be reviewed annually and amendments may be submitted to the Board of Directors for approval from time to time by the REANNZ Cyber Security Manager.

6. Roles and Responsibilities

1. REANNZ User Responsibilities:
   1. Agree to and adhere to the REANNZ HPC Platform Acceptable Use Policy and follow relevant supporting procedures and guidelines.
   2. Access User Information they have a legitimate need to and not knowingly attempt to gain access to other information.
   3. Report any identified or suspected Information Security incident.
2. REANNZ HPC Platform Project Owner Responsibilities
   1. Maintain up-to-date project access lists.
   2. Approve new User access upon legitimate request.
   3. Revoke User access immediately after the User no longer has a legitimate need to access User Information.
3. REANNZ Team Responsibilities
   1. Complying with relevant standards, practices, and guidelines.
   2. Assisting the Cyber Security Manager to identify and develop suitable Information Security standards, practices, and guidelines.
   3. Managing and Monitoring REANNZ HPC Systems for potential Information Security risks and threats.
4. REANNZ Senior Leadership Team Responsibilities
   1. Approving and maintaining service and product standards, practices, and guidelines.
   2. Authorising and revoking access to REANNZ Information based on roles and responsibilities.
   3. Evaluating and accepting Information Security risks.
   4. Demonstrate commitment and promote Information Security best practices in their communications and behaviours
   5. Ensure resources are available for implementation of people, process, and tooling to uphold the Information Security practices in place to comply with this Policy.
5. REANNZ Cyber Security Manager Responsibilities
   1. Drafting and maintaining this and other relevant Security Policies.
   2. Promoting the importance of Information Security to REANNZ staff, REANNZ users, and the broader community.
6. REANNZ Chief Executive Responsibilities
   1. Has overall accountability for Information Security and is responsible for representing Information Security risks to the Board of Directors, with support from the Cyber Security Manager where appropriate.
   2. May delegate, in writing, to another person any of the responsibilities but retains overall accountability for REANNZ Information Security.
   3. Appoint a Cyber Security Manager and support them in their responsibilities.
7. REANNZ Board of Directors
   1. Approving and providing guidance on this and other REANNZ policies.

7. Supporting Documents

This policy and the supporting Controls are aligned with the rationale and objectives of the following:

1. REANNZ recognises the relationship between the Crown, and hapū, iwi, and Māori citizens, which is governed by Te Tiriti o Waitangi. The articles of Te Tiriti provide for:
   1. kāwanatanga – the governing of Aotearoa New Zealand by the Crown (Article 1)
   2. tino rangatiratanga – Māori, hapū and iwi having control over their resources, culture and communities (Article 2). (We use tino rangatiratanga to refer to hapū and iwi who were co-signatories of Te Tiriti with the Crown.)
   3. ōritetanga – Māori having equal rights, as citizens of Aotearoa New Zealand (Article 3).
2. New Zealand Privacy Act 2020
3. REANNZ Privacy Policy
4. New Zealand Information Security Manual NZISM
5. National Institute of Standards and Technology Cyber Security Framework

Quiz Progress

• Answered: 0 / 0 (0%)
• Correct: 0 / 0 (0%) Reset