1. The purpose of our policy
This policy outlines the principles guiding Adelaide University’s management of cyber security risks and safeguards the confidentiality, integrity and availability of its information systems and digital assets.
It establishes governance-level responsibilities for risk-based cyber security decision-making, role-based accountability, incident response and the secure operation of information technology (IT) services.
This policy provides authority to maintain the:
- Cyber Security Procedure
- [Cyber Security-related standards and guidelines].
Please read this in conjunction with the IT Acceptable Use Policy and Information Governance Policy.
2. Who our policy applies to
This policy applies to the Adelaide University community.
3. Our cyber security principles
3.1 We apply consistent security standards across centrally managed and distributed IT
Adelaide University applies consistent cyber security standards to all information systems, regardless of where they are managed or operated. This includes systems and devices managed by central IT under the Chief Information Officer (the IT custodian for centrally managed environments) and systems managed within Distributed IT areas, which must each nominate an IT custodian.
3.2 We apply secure and responsible practices to AI systems and data
Adelaide University recognises that artificial intelligence (AI) systems form part of its digital environment and are subject to the same cyber security, data protection, and compliance requirements as other information systems. AI platforms, models, and related data must be implemented, configured, and maintained in accordance with the University’s security standards, data governance frameworks, and ethical use guidelines, whether managed centrally or within Distributed IT areas.
3.3 We manage cyber security through a risk-based approach
Adelaide University protects its information and systems by identifying, assessing and managing cyber security risks. Security measures are proportionate to the sensitivity and importance of the information involved.
3.4 We embed security in everything we do
Cyber security is incorporated into the design, acquisition, development, change management and operation of Adelaide University systems and services. Security is embedded and maintained throughout each system’s lifecycle to ensure our information and technology environment remains resilient. It also applies to university-owned, leased, or cloud-hosted infrastructure, applications, platforms, and services, whether managed centrally or by colleges, schools, portfolios, and business units. Controls are reviewed regularly to remain effective as threats evolve and are aligned with recognised standards.
3.5 We apply the principle of least privilege and local administrator rights
Adelaide University applies the principle of least privilege to all digital systems and services. Local administrator access on end-user devices is restricted to authorised personnel only and must be justified, time-limited, and risk-assessed. Access is granted through approved processes and logged for auditability.
3.6 We define and uphold clear responsibilities for cyber security
Cyber security is a shared responsibility. We assign role-based accountability and maintain appropriate technical and operational safeguards to protect its information and systems.
3.7 We respond swiftly and efficiently to cyber security incidents
We respond to cyber security incidents promptly and in a coordinated manner to protect the confidentiality, integrity and availability of information, systems and services. We detect, report, investigate and recover from incidents—including data breaches, unauthorised access, malware and denial-of-service attacks—and ensure that lessons are captured and required notifications to individuals or authorities are made.
3.8 We build security awareness and capability across our community
We support our community with regular cyber security education, practical training and access to guidance. All members of the Adelaide University community who access the University’s technology environment must complete cyber security awareness training and remain vigilant against cyber risks in their work and study.
3.9 We monitor and continuously improve our cyber security practices
We actively monitor systems to detect vulnerabilities, verify compliance and strengthen security. We maintain up-to-date procedures aligned with legal, regulatory and operational requirements to ensure effectiveness and continuous improvement.
3.10 We enforce our policy and comply with legal obligations
Breaches of this policy, including negligent handling of sensitive data, failure to follow required controls or unauthorised use of Adelaide University systems, may result in disciplinary action, termination of access, or review of contracts. Where personal information is involved, we comply with the Notifiable Data Breaches (NDB) scheme.
4. Definitions used in our policy
Please refer to our Adelaide University glossary for a full list of our definitions.
Adelaide University community means a broad range of stakeholders who engage with Adelaide University and includes (but is not limited to) all students, staff, and non-staff members of Adelaide University including alumni, honorary titleholders, adjuncts, visiting academics, guest lecturers, volunteers, suppliers and partners who are engaging with and contributing to the work of Adelaide University.
Cyber security means the protection of information systems and digital infrastructure from unauthorised access, disruption, modification, or destruction to ensure the confidentiality, integrity, and availability of information.
IT custodian means the individual or function responsible for implementing, maintaining and operating the technical aspects of a system in line with Adelaide University’s security and compliance standards. For centrally managed systems, the IT custodian is the Chief Information Officer. For distributed IT environments, each area must nominate a distributed IT custodian.
Least privilege means users should only have a minimum level of access to perform their functions.
Notifiable Data Breaches (NDB) scheme means the regime under Part IIIC of the Privacy Act 1988 (Cth) that requires entities to notify the OAIC and affected individuals as soon as practicable when an eligible data breach occurs.
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not, as defined in the Privacy Act 1988 (Cth).
Risk-based approach means the process of identifying, evaluating, and prioritising risks to information systems, and applying appropriate controls to manage those risks based on potential impact and likelihood.
5. How our policy is governed
This policy is categorised, approved and owned in line with the governance structure of Adelaide University and the offices and officers listed below.
| Category | Description |
|---|---|
| Policy category | Corporate |
| Approving authority | Vice Chancellor and President |
| Policy owner | Chief Information Officer |
| Responsible officer | Chief Technology and Security Officer |
| Effective from | 19 December 2025 |
| Review date | 1 year after date this version is approved |
| Enquiries | Interim Central Policy Unit/[Central Policy Unit] staff.policy.enquiries@adelaideuni.edu.au |
| Replaced documents | None |
6. Legislation and other documents related to our policy
Refer to the Delegation Policy for all delegations at Adelaide University.
| Category | Documents |
|---|---|
| Associated procedures | Cyber Security Procedure |
| Related policy documents |
[Data Management Procedure] |
| Referenced legislation | Privacy Act 1988 (Cth) |
| Related legislation | Security of Critical Infrastructure Act 2018 (Cth) Telecommunications (Interception and Access) Act 1979 (Cth) |
| External references | Essential Eight | Australian Signals Directorate (ASD) & Australian Cyber Security Centre (ACSC) Compliance in focus: Cyber security | TEQSA South Australian Protective Security Framework Overview | SA Gov South Australian Cyber Security Framework | SA Gov South Australian Protective Security Framework Executive Guide | SA Gov About the Notifiable Data Breaches scheme | OAIC NIST Cybersecurity Framework (CSF) 2.0 NIST Security and Privacy Controls for Information Systems and Organizations |
7. History of changes
| Date approved | To section/clauses | Description of change |
|---|---|---|
18 December 2025 IPD1330POL | N/A | New policy |
At the time of writing, some organisational details within Adelaide University are still evolving. Square brackets [ ] are used to indicate placeholders or areas where information may be refined, clarified or confirmed. These will be updated as the University's arrangements are finalised.