1. The purpose of our procedure
This procedure outlines how the Cyber Security Policy is implemented to protect Adelaide University’s systems, information and services. It establishes consistent standards across centrally managed and distributed IT environments and sets clear accountability for Business Owners and IT Custodians. It defines the responsibilities and actions required to manage cyber risks and respond to threats. All related processes and standards - including incident response, vulnerability management, asset classification and training - are mandatory and enforceable under this procedure, ensuring effective cyber risk management and regulatory compliance.
Please read this procedure in conjunction with the Cyber Security Policy, IT Acceptable Use Policy, and Information Governance Policy.
2. Who our procedure applies to
This procedure applies to the Adelaide University community. It covers the following systems and services:
- Adelaide University-owned or leased systems, platforms, infrastructure and data.
- Cloud-hosted and vendor-managed Information Technology (IT) services used for Adelaide University business.
- All systems used for Adelaide University business, whether managed by central IT, within Distributed IT environments.
This procedure authorises the Chief Information Officer (CIO) to maintain associated protocols.
3. Our cyber security procedure
3.1 How we apply a risk-based approach
3.1.1 Adelaide University identifies and documents cyber security risks through formal assessments conducted during system acquisition, development or modification.
3.1.2 Risks identified must be recorded in accordance with the Risk Management and Legal Compliance Policy and the Risk Management Procedure.
3.1.3 Risk owners must ensure these risks remain within Adelaide University’s risk appetite. Where a risk remains outside our risk appetite, it must be approved by the Chief Information Officer (CIO) (or delegate).
3.1.4 Mitigation actions must be tracked through the relevant business unit or project team.
3.1.5 IT and risk owners must review risk assessments annually at minimum or following any system changes or incidents.
3.2 How we embed security in activities
3.2.1 Technology acquisitions and system changes must undergo a cyber security review prior to approval. This includes software, cloud services, infrastructure and third-party platforms.
3.2.2 Third‑party and cloud services must undergo a security and privacy assessment, and contracts must include university security, privacy, breach-notification and right‑to‑audit requirements proportionate to risk and data classification.
3.2.3 Project teams must complete a Security Impact Assessment (SIA) during planning stages. The IT Services team will guide design decisions to ensure security is embedded throughout the system lifecycle.
3.3 How responsibility is defined and assigned
3.3.1 The CIO is accountable for cyber security governance and resourcing.
3.3.2 The Chief Technology and Security Officer (CTSO) owns the cyber security program, standards, monitoring and incident response, and has authority to set minimum controls and required remediation.
3.3.3 Information owners must ensure appropriate classification, access controls and protection of their information assets.
3.3.4 IT custodians must enforce controls on systems under their management, including secure configuration, patching and audit logging.
3.3.5 IT ownership must be formally assigned and reviewed at least every 12 months.
3.3.6 Business owners are accountable for the data and business processes supported by their systems. They are responsible for ensuring required security controls and risk treatments are implemented and operating effectively, and for escalating residual risks that fall outside risk appetite to the CIO (or delegate) for determination.
3.3.7 IT custodians must ensure the environments they manage comply with Adelaide University’s cyber security, risk management and compliance requirements, including secure configuration, patching and audit logging, and must evidence compliance as requested.
3.4 How we apply operational and technical controls
3.4.1 All IT users at Adelaide University must:
- Create and maintain strong, unique passwords and enabling multi-factor authentication (MFA).
- Keep all Adelaide University-managed and personal devices secure by installing software updates and antivirus tools.
- Never share passwords or access tokens, even with colleagues or supervisors.
- Report stolen, lost, or compromised devices immediately to the Adelaide University Technology Service Desk.
3.4.2 System Implementation Team must implement baseline security controls, including:
- Strong passwords and enabling multi-factor authentication (MFA).
- Encryption of sensitive data in transit and at rest.
- Endpoint protection and anti-malware tools.
- Regular vulnerability scanning and patching.
- Secure disposal of data and devices.
3.4.3 IT custodians must document how these controls are applied and report annually to the Cyber Security, Architecture and Data teams.
3.5 The rights of local administrators
3.5.1 End-user computing devices (desktops, laptops, mobile workstations) must not assign default local administrator rights to users.
3.5.2 Requests for local administrator access must:
- be submitted via the ServiceNow (S/Now) platform using the approved request form for both a once-off standing exemption that will allow them to obtain such access as stated in point 3.5.3 below
- include clear business justification, duration of access, and a designated responsible officer
- undergo risk assessment by the IT Security team, in consultation with the IT Custodian
- have exceptions approved by the reporting line function executive and CTSO or their delegate.
3.5.3 If a user is approved to have local administrator access to a device for ongoing needs, they will be able to get a temporary administrator password for 24 hours through an automated process, without the need to log a request in S/Now.
3.5.4 Temporary access must be time-bound and auto-expire after the authorised period.
3.5.5 Staff and affiliates who currently hold local administrator rights may continue to exercise those rights under a transitional arrangement. These individuals are pre-approved for an exemption and may request and receive local administrator access through an automated, auditable ServiceNow process.
Local administrator rights are granted by exception, time-bound, tightly controlled, and regularly reviewed, and only where required for essential tasks (e.g., software development, system maintenance, specialised troubleshooting).
Refer to the Transition Rules Register.
3.5.6 Local administrator rights must be audited quarterly, with non-compliant access revoked.
3.6 How to respond to security incidents
3.6.1 Suspected or confirmed cyber security incidents must be reported by the affected user immediately to the IT Service Desk or Cyber Security Operations team via the approved channels.
3.6.2 Incidents are classified into low, medium, high or critical based on potential impact and must follow our Information Breach Procedure.
3.6.3 The Cyber Security Operations team will investigate and respond to incidents, coordinating with Legal, Risk and Compliance teams as required.
3.6.4 Potential data breaches must be assessed under the Notifiable Data Breaches (NDB) scheme within required timeframes. Any notification to the Office of the Australian Information Commissioner (OAIC) and affected individuals will be coordinated by the Privacy Officer (in consultation with Legal and the CTSO).
3.7 Our cyber awareness training
3.7.1 All members of the Adelaide University community who access the University’s technology environment must complete cyber security awareness training upon commencement and annually thereafter. Non‑completion may result in access suspension or disciplinary action.
3.7.2 The Cyber Security Operations team delivers additional campaigns, simulations (e.g., phishing simulations) and learning resources throughout the year as part of the annual Cyber Security Training and Awareness Program. Additional individual training may be required based on the outcomes of these activities.
3.7.3 Line Managers must ensure their teams complete required training and may request additional training and support briefings as required.
3.8 How we monitor and audit our cyber security posture
3.8.1 Adelaide University IT systems must log user activity, system changes and access to sensitive data. Logs must be retained for a minimum of 12 months and reviewed periodically by IT Security.
3.8.2 Internal cyber security audits must be conducted at least every two years. Findings and recommendations must be documented and actioned by responsible units.
3.8.3 Cyber security control testing must be conducted at least annually, including independent assessments or penetration testing after material changes.
3.9 How we review and improve our practices
3.9.1 Our procedure will be reviewed at least every two years, or as required in response to significant incidents, regulatory change, or audit findings.
3.9.2 Continuous improvement is informed by incident learnings, audit outcomes and emerging threats. Updates to affected systems, services or domains must be approved by the CIO or the relevant accountable authority under the University's delegated authority framework.
4. Governance and enforcement
This section sets out reporting, investigation, and disciplinary processes, and includes obligations under the OAIC NDB scheme.
4.1 Breaches of policy or procedure
Breaches of our policy or procedure may include:
- failing to apply required cyber security controls
- mishandling confidential or sensitive information
- using University systems without authorisation
- ignoring known vulnerabilities or security recommendations.
Breaches may be unintentional or deliberate. All incidents must be reported to the IT Service Desk and reviewed by the Cyber Security Operations team.
4.2 Disciplinary action and legal consequences
Disciplinary action and legal consequences of a data breach may include:
- removal of system access
- performance or disciplinary action (for staff or students)
- termination of contracts (for third parties)
- referral to regulators or law enforcement in serious cases.
Disciplinary responses are aligned with the Student Code of Conduct, Student Misconduct Procedure, Staff Code of Conduct, and employment contracts.
4.3 Reporting and notifying data breaches (OAIC NDB Scheme)
If a security incident involves the unauthorised access, disclosure or loss of personal information that is likely to cause serious harm:
- An immediate assessment will be conducted.
- Affected individuals and the OAIC must be notified in accordance with the Privacy Act 1988 (Cth).
- Risk-mitigation measures must be activated to prevent further harm.
The [CTSO] leads the assessment and notification process and coordinates with Legal and Privacy teams where required.
4.4 Audit, logging and oversight
The [CTSO Sub-Function] must:
- monitor and audit adherence to cyber security procedures
- investigate and record all breach events
- ensure system logs are retained for at least 12 months
- provide reports to the [Cyber Governance Committee] and other relevant oversight bodies.
5. Who holds a responsibility within this procedure
Refer to the Delegation Policy for all delegations at Adelaide University.
5.1 The Chief Information Officer (CIO) is required to:
- Oversee the University’s cyber security strategy and ensure appropriate resources and governance are in place.
- Oversee policy implementation as the IT Custodian for centrally managed IT.
- Accept and approve residual risks that remain outside the risk appetite.
- Ensure centrally managed systems comply with this procedure and related standards.
5.2 The Chief Technology and Security Officer (CTSO) is required to:
- Own the cyber security program, standards, monitoring and incident response.
- Set minimum security controls and require remediation where controls are not met.
- Coordinate response to cyber incidents and ensure effective logging, monitoring and reporting.
- Provide assurance on adherence to this procedure.
5.3 Distributed IT Custodians are responsible for:
- Ensuring systems in their areas comply with this procedure and related standards.
- Coordinating with the CIO on risk management and incident response.
- Implementing and enforcing secure configuration, patching and audit logging on managed systems.
- Evidencing compliance when requested and reviewing system ownership at least annually.
5.4 Business owners are accountable for:
Business owners are the senior business role accountable for the business processes and the information supported by systems within their area of responsibility. Ownership must be recorded in the Information Asset Register and the IT Service Catalogue.
- The data and business processes supported by their systems.
- Ensuring required security controls and risk treatments are implemented and operating.
- Escalating residual risks outside the risk appetite to the CIO for decision.
5.5 Information owners must:
Information owners are the designated business role responsible for classification and access decisions for a defined information asset. Where not otherwise specified, this is the same role as the business owner.
- Classify information assets and ensure access controls and protections are applied consistent with classification and least-privilege.
- Approve access to information within their remit.
5.6 Risk owners must:
Risk owners are accountable for keeping an asset or system’s cyber risk within Adelaide University’s risk appetite, and for approving and tracking risk treatments. For business systems this is the business owner; for centrally managed shared platforms and infrastructure this is the CIO.
- Record, monitor and manage identified risks, ensuring risks remain within the risk appetite.
- Review risk assessments at least annually and after material changes or incidents.
5.7 System implementation teams must:
- Implement the baseline security controls mandated by this procedure and associated standards (e.g., MFA, encryption, endpoint protection, vulnerability management, secure disposal).
- Document how required controls are applied.
5.8 Line managers must:
- Ensure staff complete mandatory cyber security training and request additional training where needed.
5.9 Privacy Officer must:
- Coordinate assessment and notification of eligible data breaches under the Privacy Act 1988 (Cth) with Legal and the CTSO.
6. Definitions used in our procedure
Please refer to our Adelaide University glossary for a full list of our definitions.
Adelaide University community means a broad range of stakeholders who engage with Adelaide University and includes (but is not limited to) all students, staff, and non-staff members of Adelaide University including alumni, honorary titleholders, adjuncts, visiting academics, guest lecturers, volunteers, suppliers and partners who are engaging with and contributing to the work of Adelaide University.
Cyber security means the protection of information systems and digital infrastructure from unauthorised access, disruption, modification, or destruction to ensure the confidentiality, integrity, and availability of information.
Information asset means any information, regardless of format or location, that has value to Adelaide University and is managed as a resource for decision-making, teaching, research, operations or compliance. Examples include documents and records, publications, web content, emails and messages, spreadsheets, images and photographs, datasets and databases, software applications and tools, drawings and plans, and audio or video recordings.
Notifiable Data Breaches (NDB) scheme means the regime under Part IIIC of the Privacy Act 1988 (Cth) that requires entities to notify the OAIC and affected individuals as soon as practicable when an eligible data breach occurs.
IT custodian means the individual or function responsible for implementing, maintaining and operating the technical aspects of a system in line with Adelaide University’s security and compliance standards. For centrally managed systems, the IT custodian is the Chief Information Officer. For distributed IT environments, each area must nominate a distributed IT custodian.
Multi-factor authentication (MFA) means a login method that requires two or more forms of identification before granting access to systems or data.
7. How our procedure is governed
This procedure is categorised, approved and owned in line with the governance structure of Adelaide University and the offices and officers listed below.
| Parent policy | Cyber Security Policy |
|---|---|
| Policy category | Corporate |
| Policy owner | Chief Information Officer |
| Approving authority | Vice Chancellor and President |
| Procedure owner | Chief Information Officer |
| Responsible officer | Chief Technology and Security Officer |
| Effective from | 19 December 2025 |
| Review date | 1 year after date this version is approved |
| Enquiries | Interim Central Policy Unit/[Central Policy Unit] staff.policy.enquiries@adelaideuni.edu.au |
| Replaced documents | None |
8. Legislation and other documents related to our procedure
Refer to the Delegation Policy for all delegations at Adelaide University.
9. History of changes
| Date approved | To section/clauses | Description of change |
|---|---|---|
18 December 2025 IPD1340PRO | N/A | New procedure |
At the time of writing, some organisational details within Adelaide University are still evolving. Square brackets [ ] are used to indicate placeholders or areas where information may be refined, clarified or confirmed. These will be updated as the University's arrangements are finalised.