View Document

Information Security, Identity and Access Management Standard

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose

(1) Identity and access management (IAM) ensures the right individuals have the right level of access to information and information systems at the right times for the right reasons. IAM’s role is to identify, authenticate and authorise access.

(2) The IAM Standard sets out the minimum mandatory security controls to ensure all access to RMIT information and information systems is authorised.

(3) This standard has been aligned to AS ISO/IEC 27002:2015, Information technology - Security techniques - Code of practice for information security controls and is designed to ensure RMIT adheres to global security and privacy compliance obligations.

Top of Page

Section 2 - Authority

(4) Authority for this document is established by the Information Technology and Security Policy.

Top of Page

Section 3 - Scope

(5) This standard applies to all individuals who have access to RMIT’s information or information systems including RMIT Group staff, students, casual employees, contractors, visitors, third parties (suppliers), and agents of the organisation who are bound to RMIT policy where their contract of engagement with the University specifically provides for this.

(6) Access to RMIT information and information systems can be logical or physical and is regardless of whether the information is held on RMIT’s premises or at other locations. The following standards represent the minimum mandatory requirements for identity and access management within RMIT.

Top of Page

Section 4 - Standard

Requirements

(7) The standards are grouped by relevant security domains of IAM, and aligned to the relevant business process owner responsible for ensuring the requirement is implemented or adhered to.

Identity Management and Onboarding

Standard Description Responsibility
IAM-010
Ensure identity proofing checks are carried out for staff.
People team
IAM-020
Ensure identity proofing checks are undertaken for enrolled students.
Enrolment and Student Records
Student Services (RMIT Training)
Course Mentor (RMIT Online)
IAM-040
Ensure users acknowledge and are contractually bound to their security responsibilities for access and use of RMIT information and information systems. 
For example:
  1. formal terms and conditions for students, alumni and researchers, typically during an enrolment process
  2. employment contract for staff.
Staff: People team 
Enrolled Students: Enrolment and Student Records, Student Support (RMIT Online), Student Services (RMIT Training) 
Alumni: Information Services (Alumni and Philanthropy

System Access

(8) The following standards aim to prevent unauthorised access to systems and applications.

Standard
Description
Responsibility
IAM-050
Define access control requirements for information and information systems based on business needs, classification of information, with consideration given to the principle of least privilege access.
System Owner
Information Owners
IAM-060
Ensure an access control model for RMIT information systems is documented and includes:
  1. appropriate access rights to ensure the principle of least privilege access
  2. list of access approvers
  3. guidelines for user access provisioning, de-provisioning and role changes.
Identity Platform owner
System Owner
IAM-070
Prevent the use of shared accounts, unless authorised by CISO team for a documented business reason. 
N.B. Shared accounts must have owners (see IAM-190).
System Owners
IAM-080
Where the use of shared accounts is approved, ensure there is a centralised record of shared account activities that can be tracked to a person using the account at that time.
For example: maintain a register to document the date and time that a person takes responsibility for using a shared account or device.
Shared Account Owner
IAM-090
Configure service accounts to meet the following:
  1. disable interactive logon
  2. restrict to a system or function
  3. identifiable to a system or function
  4. monitored for inappropriate use
  5. account owner assigned is linked to the system owner
N.B. Service account passwords are to be configured in accordance with IAM-170
Account Administrators
System Administrator
IAM-100
Configure information systems to deny access by default.
System Administrators
IAM-110
Configure information systems with a secure logon.
For example:
  1. systems should have a logon banner that requires a user to acknowledge and accept their security responsibilities before access to the system is granted
  2. not display a password whilst being entered
  3. encrypt passwords during transmission and storage.
System Administrators
IAM-120
Configure information systems to deny access and require users to reauthenticate if inactive for 15 minutes.
For example: lock screen and require reauthentication.
System Administrators
IAM-130
Configure user and service accounts to lockout after a maximum of fifteen failed attempts: ·
  1. failed logon attempts occurring within 30-minute period
  2. user account disabled for a 30-minute period
  3. service accounts must be re-enabled by CISO team.
System Administrators

Account Administration

(9) The following user account maintenance requirements will ensure only authorised user access and will prevent unauthorised access to systems and services.

Standard
Description
Responsibility
IAM-140
Develop & maintain user account management processes to meet RMIT business and information system requirements.
Identity Platform Owner
IAM-150
Develop & maintain user access provisioning processes to meet RMIT business and information system requirements and includes:
  1. Business & Technology System Owner approvals
  2. access provisioning and de-provisioning
  3. access rights management e.g. access rights of users who have changed roles and/or personas
  4. blocking access rights of users who have left the organisation
  5. periodic access review
Identity Platform Owner
IAM-160
Ensure RMIT systems provide a self-service user password portal to change and reset users own password.
Identity Platform Owner
IAM-170
Configure service and privileged accounts with the following password requirements, where passphrases/words are the sole method of authentication:
  1. minimum character length of 20 for service accounts and 10 for privileged accounts, both with complex characters
  2. service accounts maximum password age is 365 days
  3. privileged accounts maximum password age is 90 days
  4. password must be unique from the last 15 passwords used
  5. non-sequential passwords used (e.g. Password1, Password2, etc)
Account Administrators
Systems Administrators
IAM-180
Configure user accounts with the following password requirements, where passphrases/words are the sole method of user authentication:
  1. minimum character length of 8 with complex characters
  2. maximum password age is 180 days
  3. password must be unique from the last 15 passwords used
  4. non-sequential passwords used (e.g. Password1, Password2, etc)
  5. prevention of multiple user-initiated password changes in one day
Account Administrators
Systems Administrators
IAM-190
Only create shared user accounts where approved by CISO team and mark the account owner as the shared account requestor.
N.B. Shared accounts are ordinarily restricted. See IAM-070 & IAM-080.
Account Administrators
Systems Administrators
IAM-200
Configure RMIT user accounts to force a password change at first logon.
Account Administrators
Systems Administrators
IAM-210
Verify user identity before performing password reset.
Account Administrators
Systems Administrators
IAM-220
Use stronger authentication such as multifactor authentication for high risk access.
For example: administrative functions or remote access from untrusted devices
Identity Platform Owner
System Owner
IAM-230
Issue RMIT user accounts that are unique to their persona and is linked to an identity record.
Account Administrators
IAM-240
Ensure redundant user accounts are not reissued to another person
Account Administrators
IAM-250
Periodically initiate user access reviews
Account Administrators

User Access

(10) The following requirements ensure users are accountable for safeguarding their user account information and ensures users only have access to the information and information systems required for a legitimate purpose.

Standard
Description
Responsibility
IAM-260
For access to RMIT information and information systems, follow RMIT user access request processes.
Users
IAM-270
Do not disclose passwords to any other person regardless of position within RMIT University.
Users
IAM-280
Never keep a paper or clear text record of passwords.
Tip: Use a secure password manager to keep a record of passwords.
Users
IAM-290
If a user becomes aware their account has been compromised, they must change their password and notify the Service & Support Centre immediately by phone.
Users
IAM-300
Validate & approve user access requests ensuring they are relevant for job role.
Line Managers
IAM-310
Initiate an update of user access rights when staff move from one role to another.
Line Managers
IAM-320
Complete a review of the application and system access granted to their staff upon receipt of a periodic access review request.
Line Managers

Third-Party, External User and Agent Access Management

(11) The following requirements ensure third-party services suppliers (suppliers) to RMIT only have access to the information and information systems required to perform their contracted duties. Third-party services suppliers include:

  1. agents
  2. consultants
  3. contractors
  4. vendors.
Standard
Description
Responsibility
IAM-340
For access to RMIT information and information systems, follow RMIT user access request processes.
Third-Party User
IAM-350
Validate & approve user access requests for third-party service suppliers, ensuring access is restricted to services supplied under contracts or agreements.
Operational Contract Owner
IAM-360
Ensure user accounts for third-party service suppliers are disabled upon expiry or cessation of contract or agreement.
Operational Contract Owner

Privileged User Access Management

(12) Privileged accounts should be used for any privileged access. Users of privileged accounts are often targeted by an adversary as their accounts can potentially give full access to a system. To minimise the risk with the use of privileged accounts, the following requirements will need to be met.

Standard
Description
Responsibility
IAM-370
Develop & maintain privileged access provisioning process to meet RMIT business and information system requirements, and includes:
  1. Business & Technology System Owner approvals
  2. periodic access review
The provisioning process must be aligned to the access control model (refer to IAM-060).
Identity Platform Owner
System Owners
IAM-380
Ensure privilege access user accounts are kept to a minimum
Identity Platform Owner
System Owners
IAM-390
Identify specific permissions that provide privileged user access to their system based on the principle of least privilege access.
System Owner
 
IAM-400
Ensure systems require multi-factor authentication for privileged user access
Identity Platform Owner
IAM-410
Ensure highly privileged accounts are not used for business as usual (BAU) administrative tasks.
For example: Domain Administrator or Root User type accounts are not to be used for service desk administrative tasks.
Identity Platform Owner
IAM-420
Do not logon or perform regular business activities from privileged user accounts
For example: logon to systems with normal user account and use privilege escalation to perform administrative functions
Privileged User
IAM-430
Ensure secret authentication information of highly privileged accounts are kept secure when not in use
For example: passwords sealed and kept in a secure repository (safe)
Identity Platform Owner
IAM-440
Issue privileged access user accounts to users with a separate user account ID from their day to day user account
Account Administrator
IAM-450
Configure privileged accounts to clearly identify them as being privileged in nature.
For example: clearly distinguished from normal user account naming convention.
Account Administrator
IAM-460
Configure privileged accounts to deny accessing the internet or email
Account Administrator
IAM-470
Configure privileged accounts to have an end date and expire
Account Administrator
IAM-480 Where a user’s role changes and they no longer require privileged access, this access must be removed within 24 hours. Account Administrator

Segregation of Duties

Standard
Description
Responsibility
IAM-490
User roles that have the ability to request, approve or provision access to RMIT information and information systems, are to remain segregated so that one user can not approve, or provision access based on their own request.
Identity Platform Owner
System Owners
IAM-500
Ensure user accounts are kept separate across technology environments.
For example: separate accounts used in development, test and production environments.
Identity Platform Owner
System Owners

Information Security Standards Exemptions

(13) Exemptions from the information security standards and other ITS policy documents must be sought using the ITS policy exemption request process determined by the Chief Information Security Officer.

(14) Exemptions must be sought prior to undertaking investigation of alternatives.