Systems Access Policy#
Granting Specific Access#
The following groups of assets have been identified by the Organization:* - Human Resources (people) - Applications and databases - Documentation (in paper or electronic form) - IT, Communication, and other physical equipment - Computerized Infrastructure - Outsourced Services
*Further sub-classifications can be applied to these groups, as well.
*Any Staff members who require access to Information Systems, Resources, Networks, and Network Services must be cleared to the appropriate level for their role(s).*
- These are subject to scheduled and unscheduled access reviews, continuity in assignment levels, records, and other rules and regulations. All up-to-date information regarding specific policies and procedures can be found here.
Requesting Additional Privileges#
- All requests to add, change, or update privileges must go through the ITSec Team via a Jira ticket. The ITSec Team will review the request and may require additional communication before the new access is granted.
Periodic Access Review#
- Individual and Group access will be reviewed by the ITSec team: annually, as part of a promotion/transfer, or more frequently if required.
Suspension of Inactive Accounts#
An account suspension is triggered after 30 days of inactivity. A warning is sent 7 days prior and on the day of suspension.
This is in accordance to the Security Control 1404 of the Australian Government Information Security Manual (ISM) from the Australian Cyber Security Centre (ACSC).
Security Control: 1404; Revision: 2; Updated: Sep-19; Applicability: O, P, S, TS
Access to systems, applications and data repositories is removed or suspended after one month of inactivity.
This is also a requirement of control A.9.2.6, from the ISO 27001 standard.
ISO 27001: 9.2.6 Removal or adjustment of access rights
The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change.
Removal of Accounts during the Off-boarding Process#
Accounts in the off-boarding processes are closely monitored and suspended as soon as a business purpose is no longer served. Accounts are deactivated during the off-boarding process and marked for removal at the conclusion of the off-boarding process within 24 hours. These accounts will be purged from the system automatically 30 days after removal.