Skip to main content
Ministry of Education New Zealand
On this page

What a cyber security policy is#

A cyber security policy outlines how your school plans to protect its digital systems and sensitive data. It demonstrates your school’s commitment to good cyber security practices. It defines:

  • what processes will be established and followed
  • which security tools that will be used
  • data handling procedures
  • roles and responsibilities of teachers, information technology (IT) staff and management in maintaining cyber security.

How it differs from acceptable use#

Acceptable use explains how people are expected to behave while using school digital resources. A cyber security policy explains what security practices your school will aim to implement and maintain to protect its digital systems and data.

If you need help understanding what to put in your acceptable use guidelines, read our advice.

Acceptable use guidelines

Why a cyber security policy is important#

A cyber security policy is important for your school because it establishes expectations about:

  • your school’s commitment to implementing security requirements
  • implementing technical controls like firewalls to protect IT systems and data
  • processes for detecting, reporting, and responding to cyber security incidents
  • maintaining network infrastructure for reliability and availability of education services
  • safeguarding digital assets, including education content, from unauthorised tampering
  • setting clear guidelines for secure use of technology resources like digital libraries.

Creating a cyber security policy#

When creating your cyber security policy, we recommend you cover:

  • the purpose of the policy, including how important cyber security is in your school or kura
  • process for cyber security risk management
  • scope including which IT systems, devices and digital assets are covered by the policy  
  • roles and responsibilities for cyber security implementation and management, and how staff will be trained for security awareness
  • technical measures you want in place (firewalls, encryption, and antivirus)
  • administrative measures you will implement (user authentication and data backup)
  • your incident response plan and details of responding and reporting incidents
  • guidelines for secure access to school systems including remote access
  • compliance with legislative and regulatory requirements.

Your policy should be developed to fit your school branding, security requirements and its values.  

Your school or kura can use the following resources to create a cyber security policy.  

Create an online security policy for your business – Own your online

docx thumbnailCyber security policy template
DownloadDOCX77KB

Maintaining and championing a cyber security policy#

Maintaining and championing a cyber security policy requires dedication, ongoing effort and involvement from all staff and teachers. We recommend that you:

  • periodically review and update the policy to maintain its relevance
  • designate an individual or group to oversee and implement the policy
  • include lessons about basic cyber security practices for your students
  • cover the policy during staff and teacher training
  • discuss the policy during any exercises relating to incident response.

Read about staff roles and responsibilities for cyber security at school.

Roles and responsibilities

THIS PAGE IS FOR
  • Education professionals