Identity and Access Management

Transcription

1 VICTORIAN GOVERNMENT CIO COUNCIL Victorian Government Identity and Access Management Identity and Access Management Standard Departments and agencies must use the identity and access management frameworks specified by the Australian Government in all identity and access management (IDAM) initiatives and ongoing lifecycle management. Keywords: IDAM, identity, access management, registration, authentication, authorisation, credentials, enrolment, identification, NeAF. Identifier: IDAM STD 01 Version no.: 1.0 Status: Final Issue date: 30 November 2013 Date of effect: 1 January 2014 Next review date: 1 July 2015 Authority: Victorian Government CIO Council Issuing authority: Victorian Government Chief Technology Advocate Exemptions Any exemptions to this standard must be reported to departmental / agency governance bodies. Except for any logos, emblems, trademarks and contents attributed to other parties, the policies, standards and guidelines of the Victorian Government CIO Council are licensed under the Creative Commons Attribution 3.0 Australia License. To view a copy of this license, visit

2 Requirement VICTORIAN GOVERNMENT CIO COUNCIL This standard, in alignment with the associated Victorian Government (VG) Information Security Policy and Standards, mandates the use of the identity and access management (IDAM) frameworks specified by the Australian Government, as adapted to Victorian requirements; and in particular, the National eauthentication Framework (NeAF), managed by the Australian Government Information Management Office (AGIMO.) This standard requires Departments and agencies (collectively referred to as agencies hereafter) to apply the NeAF framework to all IDAM initiatives and their associated IDAM lifecycle management, to determine the required level(s) of assurance for the IDAM initiative, and to determine the associated strength of registration and authentication to meet the required level of assurance. This includes reviewing all IDAM initiatives against the NeAF framework at times of IDAM system enhancement, modification, or extension of the user base, and regular ongoing monitoring of compliance against the framework and other related identity and access management policies, and standards. This standard is to be read and applied in conjunction with the associated IDAM STD 02-1 Strength of Registration for Staff, IDAM STD 02-2 Strength of Registration for Citizens & Organisations, IDAM STD 03 Strength of Authentication Mechanism and IDAM GUIDE 01 Identity and Access Management. Overview NeAF uses a risk management approach to determine the level of assurance (or trust) required before access is granted to systems and networks, the strength of registration and identification required to meet this level of assurance, and the strength of the authentication mechanism required to meet this level of assurance. NeAF also provides an overarching IDAM Framework, Lifecycle and High Level Architecture that cover the legal, policy, process and technology factors of identity and access management. (Refer to NeAF Better Practice Guide Volume 4 for further information.) Rationale The current VG Information Security Management Policy and associated standards are based primarily on riskbased Australian Government frameworks which have been adapted to VG requirements. They include the Protective Security Policy Framework (PSPF), managed by the Attorney-General s Department (AGD), insofar as it applies to Information and Communication Technology (ICT) information, people, processes and assets, and the Information Security Manual (ISM), managed by the Australian Signals Directorate (ASD). The PSPF directs agencies to use the NeAF to ensure they appropriately safeguard all official information to ensure confidentiality, integrity and availability by applying safeguards so that only authorised people, using Standard: Identity and Access Management (IDAM STD 01) v1.0 November 2013 / page 2

3 VICTORIAN GOVERNMENT CIO COUNCIL approved process, access information. It requires agencies to apply the NeAF in following three Information Security Mandatory Requirements: INFOSEC 4: for on-line transactions and services INFOSEC 5: to assess access requirements INFOSEC 6: for requirements of authentication techniques and policies Lifecycle management for IDAM Agencies must manage the full IDAM lifecycle in accordance with VG standards including generation, issuance, activation, suspension, revocation, re-issuance, etc., of credentials, and must put in place the people, processes and technology required to support this lifecycle management. Standard: Identity and Access Management (IDAM STD 01) v1.0 November 2013 / page 3

4 Derivation VICTORIAN GOVERNMENT CIO COUNCIL This standard is derived from SEC POL 01 Information Security Management Policy, which states in part that the VG will adopt Australian Government frameworks, including the PSPF, ISM and NeAF, where appropriate and practicable. Scope The use and adaptation of Victorian Government ICT policies, standards, guidelines and other supporting material is open to all, under the appropriate Creative Commons license of the document in question. Use of VG ICT policies and standards is mandated to: all VG departments Victoria Police VicRoads State Revenue Office Environment Protection Authority Public Transport Victoria Country Fire Authority State Emergency Services Ambulance Victoria Emergency Services Telecommunications Authority Metropolitan Fire and Emergency Services Board CenITex The policy applies to all VG IDAM activities, including but not limited to, users that are VG staff and external users of VG systems including consumers, citizens, customers, vendor/ service supplier staff, and (where relevant) the organisations they are associated with. Where applicable, legal and or regulatory compliance obligations take precedence over this policy and related standards. Agencies may have additional legal and or regulatory information protection compliance requirements. Examples include (but are not limited to) Victoria Police and the Commissioner for Law Enforcement Data Security (CLEDS), credit card processing contract obligations of the Payment Card Industry Data Security Standard (PCI DSS) and the Information Privacy Act Compliance Timing: From the date of effect on the front of the document. Reporting: Reporting of compliance with VG IDAM standards will be via the annual VG ISMF reporting as required by VG SEC STD 01. Standard: Identity and Access Management (IDAM STD 01) v1.0 November 2013 / page 4

5 Guidelines, toolkits and references NeAF: VICTORIAN GOVERNMENT CIO COUNCIL VG IDAM Policy and Standards VG Information Security Policy and Standards Further information For further information regarding this standard, please contact the Department of State Development and Business Innovation, at Glossary Term AGD ASD Assurance Authentication IDAM Identification ISM NeAF PSPF Registration Staff Meaning (largely adapted from the NeAF Glossary) Auditor General s Department Australian Signals Directorate A process to confirm one of several security goals to protect information and information systems, including authentication, integrity, availability, confidentiality, and accountability. The process that delivers a Level of Assurance of the identity of an entity (person or organisation.) Identity and access management The process whereby identifiers are associated with a particular Identity. Australian Government Information Security Manual National e-authentication Framework Australian Government Protective Security Policy Framework The processes associated with the initial identification of, and allocation of an authentication credential to, a user. Employees (whether permanent or part-time) and people from other organisations who are engaged to perform duties for the Victorian government (e.g. temporaries, contractors, and consultants.) Standard: Identity and Access Management (IDAM STD 01) v1.0 November 2013 / page 5

6 VICTORIAN GOVERNMENT CIO COUNCIL Version history Version Date Details February 2013 Draft 1 new Standard for review by ISAG IDAM subgroup March 2013 Draft 2 to ISAG subgroup March 2013 Draft 3 to wider ISAG 0.4 October 2013 Updates / clarification as per ISAG feedback November 2013 Submission to CIO Council - final review dates and links November 2013 Final submission to CIO Council Standard: Identity and Access Management (IDAM STD 01) v1.0 November 2013 / page 6