Policy Introduction and Purpose

This User Account Management Policy is a sub-policy of the Information Security Policy (IS01).

It sets out the requirements for the effective management of user accounts and access rights.

The management of, and compliance with, this policy is essential in order to ensure that access to the University’s information and information systems is restricted to authorised users.

Scope and Definitions

This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/self-employed carrying out roles which if carried out by an employee would require disclosure. For purposes of this Policy we will refer to everyone covered as “staff”.

All users, their IT access accounts, and all information systems used to conduct University business, or which are connected to the University network, must be managed in accordance with this policy.

A glossary of the terms used throughout the Policy can be found in Document IM03 – Glossary of Terms for Information Management

This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.

Responsibilities

Principles of this Policy

User Account Eligibility

User accounts will only be provided for:

• Current university staff and students and some non-accredited students as necessary

• Alumni

• Emeritus staff and those who have otherwise been granted honorary or associate status (associates will include staff from other organisations which provide services to the University who may require access to the University’s information systems in order to fulfil their contractual obligations to the University.)

• Students waiting to graduate.

• Contractors, visiting staff, other workers or guests of the University who may be granted temporary access to the University’s network.

Each type of account will have access rights and functionality set according to an Information Management Profile which details the requirements of their role and required access rights.

Account Lifecycle

User accounts will be managed according to an associated lifecycle.

Staff accounts are created upon the confirmation of employment, typically triggered through the relevant HR process.

Staff accounts will be disabled upon termination of employment.

Staff accounts – and information linked to them – will be deleted according to relevant retention schedules.

Student accounts are generally created upon student enrolment.

Student accounts will be disabled upon graduation or upon permanent suspension of studies.

All other accounts will be managed according to the prevailing lifecycle aimed at providing access purely for the duration required by the role.

Authorisation to Manage

The management of user accounts and privileges on the University’s information systems is restricted to suitably trained and authorised members of staff.

Account & Privilege Management

Accounts will only be issued to those who are eligible for an account and whose identity has been verified.

When an account is created, a unique identifier (userID) will be assigned to the individual user for their individual use. This userID must not be assigned to any other person at any time (userIDs will not be recycled).

Where local system accounts are required, such accounts must record and be linked to the users University credentials.

On issue of account credentials, users must be informed of the requirement to comply with the University’s Information Management policies and must complete all required training as outlined in (IM02) Information Management Training Policy.

Access rights granted to users will be restricted to the minimum required in order for them to fulfil their roles.

Users’ access rights must be adjusted appropriately and in a timely manner to reflect any changes in a user’s circumstances (e.g. when a member of staff changes their role, or a member of staff or student leaves the University).

User accounts provision and permissions will be reviewed monthly.

Privileged accounts are accounts used for the administration of information systems and are distinct from user accounts. These accounts must only be used by system administrators when undertaking specific tasks which require special privileges. System administrators must use their user account at all other times.

Privileged account provision and permissions will be reviewed on a regular basis.

Password Management

As part of the account provisioning process, users will be provided an initial, temporary password. This password will be communicated to the user in a secure way and must be changed by the user immediately.

All users must set and use robust passwords to access University information systems. Guidance on how to set and maintain robust passwords can be found here.

Where possible users must never use either their University UserID or University Password on any non-University managed or supplied system outside of the University Network. This includes (not exhaustive) social media sites, personal email platforms and cloud computing services which may be accessed via the University network and/or devices.

Multi-Factor Authentication

Users may be asked to present additional evidence other than their password to authenticate themselves to University systems. This is referred to as Multi-Factor Authentication (MFA). The use of MFA greatly improves the security of user’s accounts along with the data and systems they access.

Information given to the University for MFA will be stored securely and only used for authentication purposes. It will be stored by the University or a University trusted provider and will not be provided to any third party without prior written consent, unless we are required to do so by law.

Access to University resources must be managed using the University provided MFA service. If there are technical barriers to using the University provided MFA service, then a local equivalent service should be used or other acceptable alternative arrangements (including risk acceptance).

Where such local services or alternative arrangements are used, they must be approved by the CITO and approval documented and retained.

The University (through appropriately authorised measures), may carry legally compliant monitoring and/or logging in order to ensure the integrity and security of the University network and associated assets. Details of the University policy on monitoring is contained within the Investigation of Computer Use Policy (IS12).

Exemptions

‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on:

• Timely changes to User Account profiles (changes, suspensions and closing of accounts)
• Ensuring appropriate maintenance of ‘privilege’ access logs
• Requests for local/alternative service provisions to the CITO and any approvals
• Exemption requests and any approvals

All policies linked to this policy will be monitored and compliance performance will be reported monthly by Information Asset Owners to the University Information Management Committee.

A failure to comply with this policy will be deemed to be a disciplinary offence and may lead to proceedings being taken through the University Disciplinary Process.