Procedure: Information Technology account management and access
To establish the framework and procedures by which University Information Technology (IT) accounts are managed and secured, and set guidelines for the use of privileged access and elevated access accounts.
Definitions of additional terms used in this document are provided in the overarching policy, Information Technology security.
Non-ANU entity: a separate legal entity to the University that has a presence within the University boundary, and requires as a minimum, access to the ICN and an allocation of the University’s internet protocol (IP) addresses.
- The University provides access to information infrastructure and services to authorised users within the University community.
- Suspected or known security incidents must be reported to the Information Technology Services (ITS) Cyber and Digital Security Team by emailing email@example.com and remediation will be coordinated from that office.
- The University is responsible for:
- providing and maintaining access to information infrastructure and systems for authorised users
- suspending an authorised user's network access for breaches of policy, resulting from penalties or disciplinary action imposed under the Information Infrastructure and Services Rule 2015.
- where possible, informing users when their devices are blocked from network access and the actions they must undertake before network access will be restored.
- authorising and providing non-ANU entities with network access and determining the form of the network access.
System owner responsibilities
- System owners are responsible for:
- security architecture, and identity and access architecture within the systems that they manage
- providing appropriate network access to business areas under the control of the respective Budget Unit
- providing and maintaining accounts for visitors
- ensuring all users acknowledge and are advised of all relevant ANU policies and related documents, and are provided with adequate training and support on the use of information infrastructure
- conducting semi-annual reviews of privileged access and elevated access to ensure that access is still required for the users to perform their role. The Manager, Cyber and Digital Security will initiate semi-annual review process and report outcomes to the Director, ITS
- identifying and managing disaster recovery and business continuity requirements within their area
- ensuring that risk management, including risk assessment and mitigation, and change management processes, are undertaken with respect to the information technology within their area.
- Authorised users are responsible for:
- respecting the rights of other users and the integrity of the network, systems and physical infrastructure
- maintaining awareness of and compliance with all relevant ANU policies and related documents, Rules and Standards governing IT and information assets, relevant laws, regulations, and contractual obligations
- completing any user training required by the system owners
- complying with security and password requirements set out in the Passwords procedure .
Privileged access and elevated access accounts
- Privileged access users of a system are those who have one or more of the following, and may include systems and database administrators:
- the ability to change key system configurations
- the ability to change control parameters
- access to audit and security monitoring information
- the ability to circumvent security measures
- access to data, files, and accounts used by other users, including backups and media
- special access for troubleshooting a system.
- Elevated access users are those within a business system or application who have additional access via roles or functionality, and who do not have privileged access. Elevated access users may include supervisors or reviewers.
- Access to the University's computing resources, facilities and data is generally available to managers and administrative staff throughout the University. Standard access is provided initially to users by default; elevated access or privileged access is granted on the submission of an application form with delegate approval.
- A list of privileged account users is maintained by each system owner.
- System owners must ensure that:
- staff requesting access to a system have a genuine business requirement, verified by their manager
- staff are only given the privileges required to undertake their duties
- privileged accounts are controlled and accountable
- privileged accounts are kept to a minimum and only used for essential administrative tasks
- that users are provided with adequate training and support on the use of privileged accounts and the security of information assets.
- Users of privileged accounts must ensure the security of the account and access, and that any risk is identified and reported.
- Privileged and elevated access accounts must only be used for administrative purposes only, i.e. no web browsing or email access should occur while logged in with this access.
Deactivation and expiration of access
- The University is responsible for establishing and managing life cycles of user accounts for authorised users.
- Deactivation and/or expiration of access will occur when:
- a student or staff member leaves the University
- an auxiliary account holder is no longer associated with the University
- a user is found to have breached the ANU information technology policies and rules governing appropriate usage of University information technology resources
- an account is no longer required or has reached its expiration date as advised on the University Email or auxiliary account request form.