Information Security – Access and Account Management Procedure
Print FriendlyIntent
This Procedure has been developed to support the Information Security Policy, and provides guidance for managing user accounts and access to the digital assets of James Cook University (JCU; the University). It ensures operational security, integrity, and compliance of the University’s information systems, user accounts, and data with relevant industry standards.
Scope
This Procedure applies to all Authorised Users of JCU’s information management system regardless of location, whether during or after business hours, or whether on JCU-owned or privately owned devices.
Definitions
Refer to the Digital Policy Glossary for a comprehensive list of definitions, terms and explanations relating to information security at JCU.
Access Rights: Permissions assigned to authorised users to access assets, systems, and applications required for academic, administrative, or operational activities, adhering to the principles of Role-Based Access and the Least Privilege Principle.
Account Type(s): Categories of user accounts managed under the University’s Information Security – Identity and Access Management Standard.
Authentication: The process of verifying a user’s identity through credentials such as passwords, biometrics, security codes, or tokens.
Authorisation: The process of validating a user’s permissions to access resources or systems, ensuring they can only access authorised areas.
Identification: The act of establishing a user’s identity, typically through credentials such as a username or email address.
Least Privilege Principle: Ensures users are granted the minimum level of access required to perform their responsibilities, reducing security risks by limiting access to sensitive resources.
Review of Access Rights: A periodic evaluation of user access to ensure it aligns with their current roles and responsibilities. Access may be revoked immediately for policy violations or upon termination of the user’s association with the university.
Role-Based Access Control (RBAC): A method of granting access to digital resources based on a user’s role and responsibilities, ensuring permissions are appropriate for their duties.
Security Operations Centre (SOC): Is responsible for monitoring, assessing, and defending an organisation against cybersecurity threats. The SOC handles real-time incident response, threat analysis, and maintains continuous surveillance of the organisation’s security posture.
Single Sign On (SSO): A session and user authentication service that allows a user to use one set of login credentials to access multiple applications.
System Administrator: An individual responsible for managing user accounts and access rights within systems at James Cook University (JCU).
Introduction
JCU leverages automated account provisioning for most account types (e.g., staff and student accounts) through authoritative systems like the Human Resources System and Student Management System. These automated processes streamline identity creation, modification, and termination of most user accounts.
Where account types and systems are unable to support automation manual account provisioning and access management are required. This procedure primarily focuses on the workflows and responsibilities for managing accounts manually, ensuring compliance with organisational policies and security standards.
The following internal standards provide detailed guidance and requirements to support this procedure:
- Information Security – Identity and Access Management (IAM) Standard; and
- Information Security – Authentication Management Standard.
Internal standards are managed and maintained by the Technology Solutions Directorate ensuring they remain current and aligned with evolving requirements.
Procedure
1. User Access Roles and Responsibilities
Action | Responsible Officer
|
Define the roles and responsibilities for users based on Role-Based Access Control (RBAC) and Least Privilege Principle. |
|
Manage the application configuration to enforce defined roles and responsibilities, ensuring permissions align with RBAC and the Least Privilege Principle. |
|
2. Adding Digital Technology Assets to JCU’s Identity Management System
Action | Responsible Officer
|
Submit a ServiceNow request to ensure all new and existing digital technology assets are added to JCU’s identity management system. If integration with existing systems is not possible, apply for an exemption in accordance with the Exemption Process below. |
|
Provision, maintain and configure systems in the Identity Management System as outlined in the Account Creation and Management process below. |
|
* The “System Administrator – Identity Management System” has specific responsibilities in this section. This role holds all other responsibilities named under “System Administrator" as defined throughout the procedure.
3. Account Creation and Management
3.1 Automated Account Creation
Action | Responsible Officer
|
Assign roles and permissions based on pre-configured rules that align with specific job functions or academic roles. |
|
Synchronise identity data from authoritative systems to ensure accuracy and prevent duplication. |
|
3.2 Manual Account Creation
Action | Responsible Officer
|
Submit requests for new accounts through the Access Request workflows in ServiceNow. If a workflow is not available for a particular system, submit a ‘Request Help’ form in ServiceNow specifying:
|
|
Ensure identification of the user through a unique identifier (e.g., username or email address) before creating the account. |
|
Create the account and assign access rights based on RBAC and the Least Privilege Principle. |
|
4. Authentication Management
Action | Responsible Officer
|
Ensure that all authentication requirements (single sign on, multi factor authentication and passwords) for accounts are implemented in accordance with the Information Security - Authentication Management Standard. If not possible, seek an exemption in accordance with the Exemption Process below. |
|
5. Account Modifications and Access Removal
Action | Responsible Officer
|
Ensure user access rights reflect any changes to role requirements or responsibilities. |
|
Update access rights as soon as advised - removals and standard modifications must be actioned immediately, while modifications to increase access should be completed by close of business or as a priority the next business day if received after hours |
|
Lock accounts for terminated employees as per timelines defined in the Information Security - Identity and Access Management (IAM) Standard. |
|
6. Logging and Monitoring
Action | Responsible Officer
|
Ensure all log types, including but not limited to authentication, access, and account-related events as required by this procedure and any related internal standards, are sent to the Security Operations Centre (SOC) for continuous monitoring, alerting, and analysis. Examples include:
Sufficient detail must be included in logs to support root cause analysis and auditing purposes, including but not limited to:
If sending logs to the SOC is not possible, alternative automated tools must be used to detect unauthorised activities or anomalies in real-time.
|
|
Retain logs according to JCU’s data retention policies. |
|
Review logs quarterly to detect anomalies or unauthorised activities and report these to the Cybersecurity Team for investigation. |
|
Investigate incidents including:
|
|
7. Reporting Incidents and Unauthorised Access
Action | Responsible Officer
|
Immediately report incidents of unauthorised access or suspicious activity related to this procedure and any associated internal standards to the Cybersecurity Team and log an incident in ServiceNow. |
|
Implement incident response procedures as outlined in the Cyber Security Incident Response Plan. |
|
8. Emergency Access Provisioning
Action | Responsible Officer
|
Provision temporary emergency access upon approval for critical incidents managed in ServiceNow. |
|
Assign minimal access necessary to address the emergency. |
|
Log and monitor all emergency access activity during the incident. |
|
Revoke emergency access immediately upon resolution of the incident. |
|
9. Access and Account Reviews
Action | Responsible Officer
|
Send reminders to Product Owners and System Administrators to conduct annual access and compliance reviews. |
|
Conduct annual reviews to ensure:
|
|
If any risks, anomalies, or concerns are identified, submit a ServiceNow request to the Cybersecurity Team for further investigation. |
|
Ensure findings and user feedback informs updates and improvements to policies, processes and other documentation. |
|
10. Exemption Process
Action | Responsible Officer
|
Submit a general ServiceNow request to the Cybersecurity Team, detailing:
|
|
Approve or deny the exemption/exception documenting the decision in ServiceNow. |
|
Record the exemption/exception in the Information Security Risk Register. |
|
Monitor and review the exemption/exception periodically to ensure continued relevance and appropriateness. |
|
11. Awareness and Training
Action | Responsible Officer
|
Identify training needs related to this procedure and associated internal standards annually and in consultation with the Cyber Team and Technology Solutions’ Senior Management Team. Notify the Cyber Training and Awareness Coordinator to schedule the required training. |
|
Related policy instruments
Digital Technologies Acceptable Use Policy
Digital Technologies Acceptable Use Procedure
Queensland Government Information Security Policy (IS 18:2018)
ISO/IEC 27001 Information security, cybersecurity, and privacy protection – Information security management systems – Requirements
ISO/IEC 27002 Information security, cybersecurity, and privacy protection – Information security controls
Information Security Management Framework
Information Security – Identity and Access Management Standard (IAM) Standard
Information Security – Authentication Management Standard
Schedules/Appendices
Nil
Administration
NOTE: Printed copies of this procedure are uncontrolled, and currency can only be assured at the time of printing.
Approval Details
| Policy Domain | Corporate Governance |
Policy Sub-domain | Risk, Assurance, Regulatory and Compliance |
| Policy Custodian | Vice Chancellor |
Approval Authority | Council |
Date for next Major Review | 09/05/2030 |
Revision History
Version | Approval date | Implementation date | Details | Author |
| 25-1 | 09/05/2025 | 13/05/2025 | Procedure revised to support the Information Security Policy. Renamed from ICT Account and Access Management Procedure to Information Security – Access and Account Management Procedure. | Chief Information Security Officer |
| 22-1 | 13/07/2022 | 18/07/2022 | Procedure amended to clarify password requirements | Manager, Information and Cyber Security |
2017-1 | 08/02/2017 | 09/02/2017 | Procedure established | Information and Communications Technology |
Keywords
Keywords | IAM, joiners, movers, leavers, NIST, ISO, authentication, MFA, SSO, passwords |
| Contact person | Information Security - Governance, Risk and Compliance Manager |