Procedure: Information technology account management and access
To establish the framework and procedures by which University information technology (IT) accounts are managed and secured, and set guidelines for the use of privileged access and elevated access accounts.
Definitions of additional terms used in this document are provided in the overarching Information technology security policy.
Non-ANU entity: a separate legal entity to the University that has a presence within the University, and requires access to the Integrated Communication Network (ICN) and an allocation of the University’s internet protocol (IP) addresses. Accounts created for this purpose are known as auxiliary accounts.
Privileged access: users of a system who have one or more of the following, and may include systems and database administrators:
- the ability to change key system configurations;
- the ability to change control parameters;
- access to audit and security monitoring information;
- the ability to circumvent security measures;
- access to data, files, and accounts used by other users, including backups and media; or
- special access for troubleshooting a system.
Elevated access: users within a business system or application who have additional access via roles or functionality, and who do not have privileged access. Elevated access users includes supervisors or reviewers.
- The University provides access to information infrastructure and services to authorised users.
- Suspected or known security incidents are reported to the Information Technology Services (ITS) Cyber and Digital Security Team by emailing firstname.lastname@example.org and remediation will be coordinated from that office.
- The University is responsible for:
- providing and maintaining access to information infrastructure and systems for authorised users;
- authorising and providing non-ANU entities with network access and determining the form of the network access;
- suspending an authorised user's network access for breaches of policy, resulting from penalties or disciplinary action;
- where possible, informing users and auxiliary account holders when their devices are blocked from network access and outlining the actions to be undertaken before network access will be restored; and
- establishing and managing life cycles of user accounts for authorised users. De-activation and/or expiration of access will occur when an authorised user leaves or ceases association with the University; an account reaches its expiration date; or account closure is requested
System owner responsibilities
- System owners are responsible for:
- security architecture, identifying and accessing architecture within the system that they manage;
- providing appropriate network access to authorised system users and business areas;
- ensuring all users are advised of and acknowledge all relevant ANU policies and related documentation are provided with adequate training and support on the use of information infrastructure;
- reviewing and updating privileged access and elevated access on a semi-annual basis;
- identifying and managing disaster recovery and business continuity requirements for the system; and
- ensuring that risk management, including risk assessment and mitigation, and change management processes, are undertaken with respect to the system.
- System owners maintain a list of privileged and elevated account users for the system. They are responsible for:
- implementing and maintaining a system access approval process. This process limits the access level of users to that required to undertake their duties;
- ensuring that users with elevated or privileged access are provided with adequate training and support on the use of privileged accounts and the security of information assets;
- ensuring that privileged accounts are kept to a minimum and only used for essential administrative tasks; and
- ensuring that privileged accounts are controlled and accountable.
- Authorised users:
- maintain the integrity of the network, system, and physical infrastructure;
- do not negatively impact the usage and output of other system users;
- maintain awareness of and compliance with all relevant ANU policies and related documentation, rules and standards governing IT and information assets;
- complete all user training required by the system owner; and
- comply with security and password requirements, as set out in the Passwords procedure
- Users of privileged accounts:
- ensure the security of the account and access, and report any identified risks to the system owner; and
- only use their privileged account for administrative purposes, i.e. no web browsing or email access occurs while logged in with this access.