ICT Access and Account Management Procedures
Intent
These Procedures have been developed to support the Digital Technologies Acceptable Use Policy and will further the intent of that Policy by:
- Expressing the commitment of the University to maintaining secure, effective and reliable University ICT Services;
- Governing the provision, maintenance and termination of accounts giving access to University ICT Services;
- Outlining the provision, modification and removal of access to University ICT Services; and
- Ensuring that the University provides its account holders with secure and timely access to the online services and resources necessary for undertaking their work and study.
Scope
These Procedures apply to all Authorised Users of the University ICT Services managed by the University or third party providers on behalf of the University, both on and off campus.
Definitions
Defined terms in the ICT Acceptable Use Policy have the same meaning in these ICT Access and Account Management Procedures.
Account means a user name or other identifier which, with or without a password, allows a user to access University ICT Services.
Asset Owner means an individual or collective group with accountability and authority for University ICT Services.
College/Directorate Representative means a person appointed by a College or Directorate whose role is to control use of University ICT Services allocated to their College or Directorate.
Delegate Account means an external account that is control by an account manager. The account manager can change the account's name, occupancy dates and password.
General Access Teaching Computer Facilities Labs (GATCF) means the computing labs and equipment provided by the University.
Generic Account means an Account that is not linked to personal identity (e.g. a University staff or student).
ICT News Bulletins means information supplied by ICT either by email, automatically output on a workstation or on the web-based University news boards.
Outside User means a person or organisation, external to the University.
Privileged System Access means access to administrative roles within operating systems, databases and applications, for example, root access in a Linux system.
Research DMZ means a portion of the network, built at or near the campus or laboratory's local network perimeter that is designed such that the equipment, configuration, and security policies are optimised for high-performance research applications rather than for general-purpose business systems or enterprise computing.
Table of Contents
- Creation of staff Accounts
- Creation of student Accounts
- Creation of external Accounts
- Creation of delegate Accounts
- Creation of staff administration secondary Accounts
- Requesting additional access
- Requesting generic Accounts
- Passwords
- Resetting forgotten passwords
- Modification of staff access when their relationship with the University changes
- Modification of student access when their relationship with the University changes
- Additional requirements for Information and Communications Technology staff
- Access reviews
- Suspending Accounts
- Disabling and deletion of student Accounts
- Disabling and deletion of staff Accounts
- Disabling and deletion of delegate and external Accounts
- Records management
- Contacts
Introduction
These procedures are designed to support the operational nature of the Digital Technologies Acceptable Use Policy by providing detailed access management procedures.
University ICT Services are the property of the University.
Procedure
1. Creation of staff accounts
Hiring managers must:
- Complete the necessary hiring requisition using the Human Resources Information System (HRIMS).
Information and Communications Technology will:
- Create a user network Account. All staff Accounts will be provided with access to University ICT Services including:
- University email;
- Wireless network access (eduroam);
- Corporate applications including MyHR Online, Staff Online, Cognos, Riskware and Concur; and
- Access to common file shares (where appropriate).
- Provide the Account details to the staff member or nominated supervisor.
Supervisors will:
- Show new staff how to change their password on first login.
2. Creation of student accounts
Information and Communications Technology will:
- Create student Accounts when the student is entered into the University system for the purpose of offering the student a place at the University.
Prospective undergraduate and postgraduate students who have accepted offers will:
- Obtain the University computer account details (login, password and email address) from Get Started @ JCU. Students will need their 8 digit University student number, supplied to them by the University Admissions included in the letter of offer to a course to log in.
- Change their password on first login.
3. Creation of external accounts
External Accounts can be arranged for Outside Users, visiting academics, staff or students for the purpose of providing access to central systems, email and internet access. The External Account Form is used for a single user which will be at the University for an extended amount of time.
An External Account - User Registration Form must be completed and forwarded to the ICT Central Service Desk.
Information and Communications Technology will:
- Create the external Account and notify the owner of the account of the Account details.
4. Creation of delegate accounts
Delegate Accounts are similar to external Accounts, however they allow staff members to have control over the occupancy of the Account. The Account manager can change the Account's name, occupancy dates, and password, via a web service. This is useful for allowing visiting academics, staff or students access to the central systems including internet access. The Delegate Account is usually used for users which are changing over short periods of time.
A Delegate Account Application Form must be completed and forwarded to the ICT Central Service Desk.
Information and Communications Technology will:
- Create the Delegate Account and notify the owner of the account of the Account details.
5. Creation of staff administration secondary accounts
University staff or students, with Privileged System Access, must use an Account, separate from their standard user Account. The Account will have a naming convention suitable to allow for ease of identification.
Asset Owners will:
- Create a secondary administrative Account for University staff or students with Privileged System Access in accordance with the ICT Least Privilege Guidelines.
6. Requesting additional access
Authorised Users can request additional access to University ICT Services, including file shares and applications. If a staff member requires a level of access different to that usually given to people in their relevant area, their Dean of College or Director must authorise the level of access required and submit that authorisation to Information and Communications Technology or Asset Owner.
The staff member applying for additional access will:
- Submit requests for additional access to the appropriate Dean of College or Director (in the format required by the College or Directorate) for authorisation; and
- Submit the authorised request to the ICT Central Service Desk.
The Dean of College or Directorate will:
- Decide whether to authorise the additional access in accordance with University policies and procedures.
Information and Communications Technology will:
- Maintain a register of authorised College/Directorate Representatives;
- Validate and allocate additional access; and
- Where Information and Communications Technology is unable to allocate access, they will notify the relevant Asset Owner.
7. Requesting generic accounts
Generic Accounts are manually created by Information and Communications Technology from time to time to meet the University's operational needs. Generic Accounts are not permitted for access to student, financial or personal identifiable information.
The staff member will:
- Submit the request for Generic Account(s) to the appropriate Dean of College or Director (in the format required by the College or Directorate).
The Dean of College or Director will:
- Decide whether to approve the Generic Account(s) and access in accordance with applicable University policies and procedures; and
- If approved, forward the request to the ICT Central Service Desk.
Information and Communications Technology will:
- Create the Generic Account and notify the owner of the account of the account details; and
- Manually delete the Generic Account upon expiry, or at the request of the person responsible for the Generic Account.
8. Passwords
Authorised Users must:
- Select passwords that comply with the University password requirements;
- Change their passwords at regular intervals; and
- Maintain security of their password.
Information and Communications Technology will:
- Implement a baseline tiered password policy based on user group, as defined in Table 1 below.
Table 1 – Password Requirements
Requirement
| User Group | ||||
---|---|---|---|---|---|
Undergraduate, Postgraduate and Research Students | Staff, Generic, Delegate and External Accounts | ICT Staff Secondary Administrative /Domain Accounts | Service Accounts (e.g. application to database) | System Accounts (e.g. root in Linux) | |
Null passwords | Not Allowed | Not Allowed | Not Allowed | Not Allowed | Not Allowed |
Minimum length | 8 characters | 8 characters | 15 characters | 16 characters | 20 characters |
Maximum length | System maximum | System maximum | System maximum | System maximum | System maximum |
Repeating characters (AAA) of adjoining characters (ABC) | Not allowed | Not allowed | Not allowed | Not allowed | Not allowed |
Complexity (8-14 characters) | Contain at least 1 number (0 - 9), 1 uppercase character (A - Z) and 1 lowercase character (a - z) | Contain at least 1 number (0 - 9), 1 uppercase character (A - Z) and 1 lowercase character (a - z) | NA | NA | NA |
Complexity (15 or more characters) | Contain 1 number (0 - 9) or 1 uppercase character (A - Z) or 1 lowercase character (a - z) | Contain 1 number (0 - 9) or 1 uppercase character (A - Z) or 1 lowercase character (a - z) | Contain 1 number (0 - 9) or 1 uppercase character (A - Z) or 1 lowercase character (a - z) | Contain 1 number (0 - 9) or 1 uppercase character (A - Z) or 1 lowercase character (a - z) | Contain 1 number (0 - 9) or 1 uppercase character (A - Z) or 1 lowercase character (a - z) |
Password change (8-14 characters) | 365 days | 365 days | 365 days | As required. | 180 days (or upon departure of ICT staff with knowledge of the password) |
Password change (15 or more characters) | No change | No change | 365 days | As required. | 180 days (or upon departure of ICT staff with knowledge of the password) |
Apply brute-force mitigation after nominated unsuccessful attempts | Yes | Yes | Yes | Recommended | Recommended |
Stored in encrypted format | Yes | Yes | Yes | Yes | Yes |
Where systems do not support the above requirements, Information and Communications Technology will:
- Identify the system and conduct a risk assessment on the proposed solution to identify mitigating controls; and
- Implement the mitigating controls or make recommendations to the Asset Owner.
Administrative staff responsible for the Research DMZ will:
- Implement and maintain security guidelines for the Research DMZ; and
- Comply with the above password policy. Where compliance with the above password policy is not feasible, implement mitigating controls based on the results of a risk assessment.
9. Resetting forgotten passwords
Authorised Users who have forgotten the password for their Account must:
- Submit a request for password changes to the ICT Central Service Desk; or
- Submit a request in person to Library InfoHelp or;
- Use JCU’s password reset functionality (where available).
Information and Communications Technology will maintain a manual password reset process. Information and Communications Technology will:
- Send an email to the Authorised User’s alternative contact method (e.g. email) requesting the following information:
- Full name
- University staff/student number
- Term address/home address
- Division or College of employment/study
- Date of birth
- Confirm the Authorised User’s identity and provide a one-time password to the Authorised User’s pre-registered contact details to be changed on first login.
Library InfoHelp Staff will:
- Confirm the Authorised User’s identity using:
- University Staff or Student Card; or
- Other suitable form of photo identification.
- Confirm that the Authorised User’s account is still active; and
- Provide the Authorised User with the ability to enter a new password in-person.
10. Modification of staff access when their relationship with the University changes.
The relevant Dean of College or Director must:
- Notify Human Resources of any change in the relationship between a staff member and the University that might affect the staff member’s entitlement to University ICT Services.
The Director, Human Resources will:
- Ensure that the appropriate position changes are made in the HRIMS system. The system will send a message to Information and Communications Technology notifying of the change.
Information and Communications Technology will:
- Modify the staff members’ access to University ICT Services by following any standard modification processes which may be in place. This process will be automated where possible.
11. Modification of student access when their relationship with the University changes.
Student Services must record the individual status and progression of students within the University:
The Director, Student Services will:
- Ensure that the appropriate status changes are made in the Student Management Information System (SMIS). The system will send a message to Information and Communications Technology notifying of the change.
Information and Communications Technology will:
- Modify the student’s access to University ICT Services by following any standard modification processes which may be in place. This process will be automated where possible.
12. Additional requirements for Information and Communications Technology staff
Staff working in Information and Communications Technology who are enrolled in University courses or programs will not usually be granted access to University ICT Services where that access enables them to change their or others' academic results.
The Chief Digital Officer must:
- Maintain oversight of those staff who may also be registered as students of the University and ensure that access controls are sufficient to ensure that Information and Communications Technology staff cannot modify student related records; and
- Implement processes (e.g. supervision) to ensure that Information and Communications Technology staff members do not modify academic results or material. Information and Communications Technology staff members will not:
- view course material for any course, before that material is made available for viewing by students enrolled in the course, unless they have written permission from the staff member, lecturer, tutor, teacher or instructor who prepared the material, or from the course coordinator or relevant Dean of College;
- take any action that would result in them or any other person gaining an academic advantage over other students;
- access any personal, academic or confidential information about anyone else unless required in the course of their University duties; or
- perform any other action that is inappropriate for or unauthorised by their position or duties.
13. Access reviews
Asset Owners are responsible for reviewing system access and must:
- Review access on a periodic basis and must promptly revoke all privileges no longer required by Authorised Users.
- All special or privileged access to systems (such as administrative or supervisor Accounts, or staff working in Information and Communications Technology who are enrolled in University courses or programs) must be reviewed every 6 months.
- All Authorised User access must be reviewed at regular intervals not exceeding 12 months including when they change roles, in order to maintain effective access control and to prevent access creep.
Information and Communications Technology will:
- Provide Asset Owners with the appropriate reports to review current access.
14. Suspending accounts
The Chief Digital Officer, Director, Student Services or the Director, Human Resources may authorise suspensions of Accounts under certain conditions. Situations under which suspension of Accounts would be considered include (but are not limited to):
- Threats to the University ICT Services; or
- Inappropriate use of University ICT Services, systems or software.
15. Disabling and deletion of student accounts
Where a student's relationship with the University ends (e.g. by way of completion of course, discontinuance, lapse, withdrawal or expulsion), the Director, Student Services will:
- Make the appropriate changes in the Student Management Information System (SMIS) to reflect their end date.
Students who do not accept an offer to study at the University, or fail to enrol, will be routinely deleted from the system by Student Services. The SMIS will send a message to Information and Communications Technology notifying of the change.
Information and Communications Technology will:
- as per the following schedule:
Table 2 – Account Removal Timeline - Student
Relationship | Date at which access is disabled |
---|---|
Students – completed / graduated | 180 days after completion date |
Students – withdrawal | 1 day after date of withdrawal |
Students – lapsed | 1 day after date of lapse |
- Notify students whose Accounts are scheduled to be disabled by sending an email up to 30 days before the disable date. Students who will continue to have a relationship with the University after this date will be advised in that email of the process they must follow to retain their Accounts and appropriate access. No notification will be sent for deceased Student members. Students who have completed their course (i.e. alumni) with be provided with access to a University email account as determined by Student Services.
16. Disabling and deletion of staff accounts
If a staff member's relationship with the University ends (e.g. retirement, resignation, termination or end of contract), the relevant Dean of College or Director must:
- Notify Human Resources.
The Director, Human Resources will:
- Ensure that the appropriate changes are made in the Human Resources system to reflect the staff member’s end date; and
- Ensure relevant parties (including Asset Owners, Campus Security and Information and Communications Technology) are notified of the staff member's change in relationship with the University.
Asset Owners will:
- Remove privileged access from the staff member’s Account.
Information and Communications Technology will:
- Remove privileged access from the staff members Account (where this is associated with a predefined system security group);
- Disable the staff member’s Account and access to University ICT Services as per the following schedule:
Table 3 – Account Removal Timeline - Staff
Relationship | Date at which access disabled | Method |
---|---|---|
Staff/student Privileged Accounts | End of last day of employment. | Manual process |
Academic and Administrative Staff members – continuing (permanent) - resignation | End of last day of employment. | Automated trigger from Human Resources System |
Academic and Administrative Staff members termination or dismissal | Last day of employment | Automated trigger from Human Resources System |
Academic and Administrative Staff members – fixed term contract | Last day of employment | Automated trigger from Human Resources System |
Academic and Administrative Staff members – casual | 180 days after the date of end of casual contract or upon advice from Human Resources. | Automated trigger from Human Resources System |
- Notify staff members whose Accounts are scheduled to be disabled by sending an email up to 30 days before the disable date. Staff members who will continue to have a relationship with the University after this date will be advised in that email of the process they must follow to retain their Accounts and appropriate access. No notification will be sent for deceased staff members.
Staff members who have multiple relationships with the University (such as an account holder who is both student and staff member) who cease only one of their relationships will only have the access related to the terminating relationship removed.
17. Disabling and deletion of delegate and external accounts
Owners of Delegate and external Accounts must:
- Notify Information and Communications Technology when the Account is no longer required.
Information and Communications Technology will:
- Remove privileged access from the Delegate or external Account (where this is associated with a Security Group); and
- Disable the Delegate or external Account and access to University ICT Services.
18. Records management
Subject to the provisions of the Intellectual Property Policy, all records created by staff account holders in the course of their University duties are records, regardless of the form and technology used to generate them. These records are the property of the University and subject to its control, and they may be official records covered by the relevant state legislation.
Electronic documents, such as emails, are subject to the same requirements as hardcopy records and must be captured in accordance with the University's Record Management Policy.
The Records Management team within James Cook University have the delegated responsibility of ensuring all University public records are created, maintained, preserved and destroyed in accordance with both the University’s Retention and Disposal Schedule (RDS) and the General Retention and Disposal Schedule for Administrative Records (GRDS).
All staff members and their supervisors must:
- Ensure that all records are stored in the University's record management system(s), or
- Transferred to the University’s Records Management Team for storage, maintenance, preservation and destruction in the University’s record management system.
Where staff members are unable to ensure that the procedure in point 1) or 2) above is complied with before they leave the University (for instance, due to illness or death), the relevant supervisor of that staff member may request that the Chief Digital Officer authorise another University staff member to view and deal with the records associated with the Account before it is disabled and deleted.
19. Contacts
For further information, please contact:
- JCU ICT Central Service Desk (Townsville and Cairns: 4781 5500; Singapore: 6576 6811 – 814).
- JCU Director Human Resources (directorhrm@jcu.edu.au)
- JCU Chief Digital Officer (cdo@jcu.edu.au)
- JCU Student Services (enquiries@jcu.edu.au)
- JCU Copyright Officer (copyright@jcu.edu.au)
- JCU Privacy (gsu@jcu.edu.au)
- JCU Cybersecurity (cybersecurity@jcu.edu.au)
Related policy instruments
Digital Technologies Acceptable Use Policy and Procedures
Student Code of Conduct Policy
Code for the Responsible Conduct of Research
Code of Conduct – University Council
Related legislation
Queensland Australia
James Cook University Act 1997 (QLD)
Information Privacy Act 2009 (QLD)
Telecommunications Interception Act 2009 (QLD)
Queensland Right to Information Act 2009 (QLD)
Commonwealth Australia
Crimes Act 1914 (Cth Australia)
Cybercrime Act 2001 (Cth Australia)
Copyright Act 1968 (Cth Australia)
Telecommunications (Interception And Access) Act 1979 (Cth Australia)
Singapore
The Computer Misuse and Cyber security Act (Cap 50A) (Singapore)
Copyright Act (Cap 63) (Singapore)
SPAM Control Act (Cap 311A) (Singapore)
Undesirable Publications Act (Cap 338) (Singapore)
Administration
NOTE: Printed copies of this policy are uncontrolled, and currency can only be assured at the time of printing.
Approval Details
Policy Domain | University Management |
Policy Sub-domain | Digital |
Policy Custodian | Deputy Vice Chancellor, Services and Resources |
Approval Authority | Vice Chancellor |
Date for next Major Review | 08/02/2022 |
Revision History
Version | Approval date | Implementation date | Details | Author |
22-1 | 13/07/2022 | 18/07/2022 | Procedure amended to clarify password requirements | Manager, Information and Cyber Security |
2017-1 | 08/02/2017 | 09/02/2017 | Procedure established | Information and Communications Technology |
Keywords
Keywords | Access control, generic accounts, delegate accounts, password, generic accounts, external accounts, access review |
Contact person | Manager, Information and Cyber Security |