Procedure: Information Technology account management and access
To establish the framework and procedures by which University Information Technology (IT) accounts are managed and secured, and set guidelines for the use of privileged accounts.
Definitions of terms used in this document are provided in the overarching Policy (Information Technology Security Policy).
- In alignment with the University's strategic plans, the University will provide access to information infrastructure and services to all members of the University community, enabling the continued excellence and performance in education, teaching and learning, and research.
- The University provides access to:
- all authorised users within the University community
- all network connecting devices authorised for connection, and that have been allocated an IP address within the University's IP Address range.
- Suspected or known security incidents must be reported to University Cyber and Digital Security and remediation is coordinated from that office.
- The University is responsible for:
- providing and maintaining authorised users with access
- suspending an authorised user's network access for breaches of policy, resulting from penalties or disciplinary action imposed under the Information Infrastructure and Services Rules 2015
- instructing any authorised users identified responsible for network connecting devices which have been blocked from network access and the obligations they must undertake before network access is restored
- authorising and providing non-ANU Entities with network access and determining the form of the network access
- ensuring all network access adheres to the obligations of the University's Access Agreement
- University responsibilities under this procedure are vested in Information Technology Services.
- System owners are responsible for:
- Security architecture and identity and access architecture within the systems that they manage
- providing appropriate network access to business areas under the control of the respective Budget Unit
- provision and ongoing management of user accounts for visitors
- ensuring authorised users acknowledge and abide by all relevant ANU policies and related documents
- conducting semi-annual reviews of privileged access and elevated access to ensure that access is still required for the users to perform their role. The Manager, Cyber and Digital Security will initiate semi-annual review process and report outcomes to the Director, ITS.
- ensuring users are provided with adequate training and support on the use of information infrastructure and the security of information assets
- identifying and managing disaster recovery and business continuity requirements within their area
- ensure that risk management, including risk assessment and mitigation, and change management processes, are undertaken with respect to the information technology within their area.
- Authorised Users are responsible for:
- respecting the rights of other users and the integrity of the network, systems and physical infrastructure
- observing and complying with all relevant policies, laws, regulations, and contractual obligations
- not connecting unauthorised network devices to the University’s network
- complying with security and password requirements set out in the Password Procedure
- maintaining an appropriate level of awareness and compliance with University policies, procedures, Rules and Standards governing IT and information assets, and completing any user training required by the system owners.
Privileged Access and Elevated Access Accounts
- Privileged Access users are users of a system/s with one or more of the following, and may include systems and database administrators:
- the ability to change key system configurations
- the ability to change control parameters
- access to audit and security monitoring information
- the ability to circumvent security measures
- access to data, files, and accounts used by other users, including backups and media
- special access for troubleshooting a system.
- Elevated Access users are users within a business system or application who have additional access via roles or functionality, who do not have Privileged Access. Elevated Access users may include supervisors or reviewers.
- Access to the University's computing resources, facilities and data is generally available to managers and administrative staff throughout the University. Least privilege access is provided initially to users by default; elevated access or privileged access is granted on the submission of an application form with delegate approval.
- A list of privileged account users is maintained by each system owner.
- Use of privileged accounts
- Staff requiring access to a system must have a genuine business requirement, verified by their manager, to access the system.
- Staff must only be given the privileges required to undertake their duties. Providing staff with privileged access when there is no requirement can pose a significant risk to the integrity of the system.
- Privileged accounts can potentially allow access to the entire system and strong authentication must be used, especially if the account provides access to financial, confidential, or otherwise sensitive information or data.
- Control of privileged accounts
- Privileged accounts must be controlled and accountable.
- Privileged accounts must be kept to a minimum and only used for essential administrative tasks.
- Supervisors of privileged accounts must ensure users are provided with adequate training and support on the use of privileged accounts and the security of information assets.
- Users of privileged accounts must ensure the security of the account and access, and that any risk is identified and reported.
- Users of privileged accounts must apply change management processes.
- Users of privileged accounts are responsible for maintaining an appropriate level of awareness and compliance with University policies, procedures, Statutes, Rules, and Standards governing access, information infrastructure, and elevated password requirements.
Deactivation and Expiration of Access
- The University is responsible for establishing and managing life cycles of user accounts for authorised users.
- Deactivation and/or expiration of access will occur when:
- a student or staff member leaves the University
- an auxiliary account is no longer associated with the University
- a user is found to have breached the ANU information technology policies and Rules governing appropriate usage of University information technology resources
- an account is no longer required/has reached its expiration date as advised on the University Email Account/Auxiliary Account Request Form.