Policy Redesign Project

All policies and procedures are being reviewed as part of this project. This document is pending review, but remains in effect until the review is carried out.

Identity and Access Management Policy

Establishment: Vice-Chancellor, 5 December 2014
Last Amended: n/a
Nature of Amendment: n/a
Date Last Reviewed: n/a 
Responsible Officer: Director, Information Technology Services

1.  Objective

To maintain the confidentiality, integrity and availability of Flinders University’s information assets, an effective means of controlling physical and electronic access to university IT resources is required.

The objective of this policy is to:

  • Prevent unauthorised access to the university’s IT Resources;
  • Ensure the processes providing access to IT Resources are complete, consistent and auditable.

This policy is written to be consistent with the Information Security Standards AS/NZS ISO/IEC 27001:2006 and AS/NZS ISO/IEC 27002:2006.

2.  Scope

  • This policy applies to all staff, students, contractors and associated third parties who have reason to access any IT Resource owned or controlled by the university;
  • This policy’s coverage includes all IT facilities, hardware and software used in the provision of access to the university’s digitally stored information assets.

3.  Definitions

  • Information Assets comprise all forms of data or knowledge that are processed, stored and transferred that have value to Flinders University in both electronic and hardcopy forms;
  • IT Resource means any form of technology used to collect, process, store and disseminate information and includes computer hardware and software, business applications software, communication systems and networks;
    • IT Applications includes all in-house developed, business, off-the-self, third-party and user developed applications within the scope as described above;
    • IT Facility means anyinstallation or building such as data centre, server room or network room that contains critical IT Resources;
    • FAN is the Flinders Authentication Name, the unique value assigned to each user that identifies and authenticates users to University IT systems;
    • User is any person accessing any of the University's IT resources and / or facilities, including, but not limited to – staff, students, alumni, consultants, contractors, third parties, other users who are authorised by the University to access systems and/or the campus network, and  anyone connecting non-Flinders University equipment (e.g. laptop computers) to the University network;
    • Business Owner is the person who is responsible for the sponsorship and ongoing management of an IT Application in support of a specific University outcome, and is responsible for vetting access application access requests;
    • Least Privilege is the principle of receiving only the access privileges necessary to complete one’s job duties.

4.  Identity Repository

All individuals requiring access to University IT Resources must have their identity recorded in a central identity repository. This excludes guests, visitors and holders of identities from federated entities that have limited access to wireless or telephony resources. The Student System and Human Resources systems are to be considered the two sources of truth for student and staff user information respectively.

  • All recorded identities must be assigned a unique Flinders Authentication Name (FAN) identifier;
  • FANs should never be reused or reassigned to different identities;
  • Required information for each identity must be complete, accurate and current;
  • Flinders University reserves the right to grant, limit or withdraw access to some or all of its IT resources either temporarily or permanently.

5.  Physical Access to IT Facilities

  • IT Resources must be physically secured from unauthorised physical access through the use of appropriate security measures for IT Facilities;
  • Access to IT Facilities must be restricted to Authorised Users only.

6.  Access to the Flinders University Network

  • The University network will be accessible via the eduroam wireless access arrangement, which enables outside educational users access to the Flinders network via a federated access model;
  • The Flinders University network must operate a “zoned” security model, whereby network access to university IT resources is governed by the user’s role within the university (e.g. student, staff, or visitor).

7.  Access to University IT Resources

  • Access to university IT Resources will be granted only to Authorised Users. An Authorised User is entitled to system access either because of:
    • Membership in a recognised user category (e.g. student, staff or visitor); or
    • Explicit approval by a Business Owner.
  • Business Owners are responsible for recording approvals and requests for granting, changing and removal of access.

8.  Access to IT Resources at Other Universities/Institutions

The university may participate in “identity federation”, whereby holders of FAN identities can be granted access to resources hosted outside of the University, and holders of identities from federated entities can be granted access to resources hosted by the University.

9.  Authentication

  • All access to IT Resources must require, at a minimum, a FAN and password combination for authentication except where limited access is granted to guests, visitors or holders of identities from federated entities;
  • Additional authentication (two-factor) mechanisms will be used for access to sensitive University IT Resources, as determined by the Manager, ITS Security Services; and
  • Password security requirements must be consistent with the University’s password requirements defined by Appendix A - Account Naming and Password Requirements.

10.  Authorisation (Access Privileges)

  • The access privileges assigned to users will be designed on a least-privilege basis; and
  • Administrative access, other privileged accounts and generic accounts will be identified and monitored.

11.  Review of System Access

  • Business Owners are responsible for reviewing user accounts and access privileges on at least an annual basis, to:
    • Confirm that application users are still authorised for access to a particular IT Resource;
    • Confirm that distribution of access privileges within each IT Resource is appropriate; and
    • Evidence of the results of each access review is retained for audit purposes.

12.  Compliance and Enforcement

  • Manager, ITS Security Services is responsible for:
    • Ensuring the implementation of supporting controls to ensure the ongoing adherence to the requirements of this policy; and
    • Monitoring user compliance with this policy and investigating and reporting breaches of this policy.
  • Supervisors/Managers are responsible for reporting any security incidents or breaches of this policy by staff under their supervision to the ITS Service Desk.
  • Users are responsible for reporting any security incidents and breaches of this policy to the ITS Service Desk.
  • Failure by Users to comply with any element of this policy may result in disciplinary action in accordance with the relevant disciplinary procedures. These are:

13.  Related Documents

This policy should be read in conjunction with other relevant University policies and procedures, including:

Information Security Policy

IT Acceptable Use Policy

IT Asset Management Policy

IT Disaster Recovery Policy

Secure Mobile Computing Policy

IT Application Acquisition and Development Policy

14.  Appendix A - Account Naming and Password Requirements

Account Type

Naming Convention

Password Complexity

Password Expiry

Password Lockout

Flinders Authentication Name (Normal user account)

First four characters of surname (family name) followed by four numeric digits

  • Minimum length: 9 characters
  • Must contain lower and upper case, numeric and special characters
  • Password history: 4 passwords
  • Minimum age: 0 days
  • Annual
  • Lockout threshold: 10 attempts
  • Lockout time: 15 minutes
 Annual

Lockout threshold: 10 attempts

Lockout time: 15 minutes

Administrator account (FANa)

Accounts used for accessing administrative systems.

FANa

  • Minimum length: 10 characters
  • Must contain lower and upper case, numeric and special characters
  • Password history: 4 passwords
  • Minimum age: 4 days
  • 180 days
  • Lockout threshold: 10 consecutive login failures over a 30 minute period
  • Lockout time: 1 hours
180 days

Lockout threshold: 10 consecutive login failures over a 30 minute period

Lockout time: 1 hour

Service Account (s_)

Accounts used for system processes.

s_servicename

  • Minimum length: 15 characters
  • Must contain lower and upper case, numeric and special characters
  • Password history: 4 passwords
  • Minimum age: 4 days
  • Never
  • Lockout threshold: Unlimited
  • Lockout time: N/A
Never

Lockout threshold: Unlimited

Lockout time: n/a

Generic Account (g_)

Accounts utilised temporarily by a group of users with limited access. Must not be used for Administrator access.

g_description(A-Z)number(0-9)

  • Minimum length: 10 characters
  • Must contain lower and upper case, numeric and special characters
  • Password history: 4 passwords
  • Minimum age: 1 days
  • Annual
  • Lockout threshold: 10 failed login attempts
  • Lockout time: Forever (manual reset)
Annual

Lockout threshold: 10 failed login attempts

Lockout time: Forever (manual reset)

Test Account (t_)

Accounts used for testing non-production systems.

t_application(A-Z)number(0-9)

  • Minimum length: 10 characters
  • Must contain lower and upper case, numeric and special characters
  • Password history: 4 passwords
  • Minimum age: 1 days
  • 180 days
  • Lockout threshold: 10 failed login attempts
  • Lockout time: Forever (manual reset)
180 days

Lockout threshold: 10 failed login attempts

Lockout time: Forever (manual reset)