Identity and Access Management

Similar documents
UNCLASSIFIED. Victorian Protective Data Security Framework (VPDSF) ROSETTA STONE

Victorian Government Information and Communication Technology (ICT) Governance

Protective Marking Standard Implementation Guide for the Australian Government

IRAP Policy and Procedures up to date as of 16 September 2014.

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection

Tasmanian Government Identity and Access Management Toolkit

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

CORPORATE GOVERNANCE

Guideline 1. Cloud Computing Decision Making. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Gatekeeper PKI Framework. Archived. February Gatekeeper Public Key Infrastructure Framework. Gatekeeper PKI Framework.

Selecting a project management methodology

Australian Government Cloud Computing Policy

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework

Australian Government Cloud Computing Policy

NSW Government Digital Information Security Policy

Independent Auditors Report to the Commissioner for Law Enforcement Data Security -

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Information Security Policy

Gatekeeper. Public Key Infrastructure Framework

005ASubmission to the Serious Data Breach Notification Consultation

INFORMATION GOVERNANCE POLICY

Information Governance Strategy :

Records Disposal Schedule Anti-Discrimination Services Northern Territory Anti-Discrimination Commission

Privacy and Cloud Computing for Australian Government Agencies

Gatekeeper Public Key Infrastructure Framework. Compliance Audit Program

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

WoVG Information Security Management Framework

Access Control Policy

National VET Provider Collection Data Requirements Policy

IT SECURITY POLICY (ISMS 01)

DEPARTMENTAL REGULATION

Eskom Registration Authority Charter

Australian Government Information Security Manual CONTROLS

Information Security Registered Assessors Program - Gatekeeper PKI Framework Guide

IT Change Management Policy

INFORMATION TECHNOLOGY POLICY

Information and Communications Technology (ICT) Steering Committee - Information Sheet

Quality Assurance and Safeguards Working Arrangements for the Launch of the NDIS in Victoria

Gatekeeper Compliance Audit Program

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September Information Governance Manager

Information Governance Plan

Federal Identity, Credential, and Access Management Trust Framework Solutions. Overview

Protective Security Governance Policy. Outlines ANAO protective security arrangements

Data Governance in-brief

Information Privacy Policy

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Information Management and Protection Policy

The Management of Physical Security

Cloud Computing and Records Management

Qualification details

Information Security Management System Information Security Policy

UNCLASSIFIED UNCONTROLLED-IF-PRINTED. Public. 2:51 Outsourced Offshore and Cloud Based Computing Arrangements

Achieving Security through Compliance

How To Write A Contract For Software Quality Assurance

Privacy Policy on the Responsibilities of Third Party Service Providers

Class 3 Registration Authority Charter

CIO, CISO and Practitioner Guidance IT Security Governance

Cloud-Based ICT Services Checklist

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4.

Information Management Responsibilities and Accountability GUIDANCE September 2013 Version 1

Third Party Security Requirements Policy

Data Protection Breach Management Policy

NSW Government Digital Information Security Policy

Identity and Access Management Glossary

Note that the following document is copyright, details of which are provided on the next page.

INFORMATION GOVERNANCE STRATEGY

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents

POSITION INFORMATION DOCUMENT

CITY OF HOUSTON. Executive Order. Information Technology (IT) Governance

WA Food Regulation: Temporary and Mobile Food Businesses

FSIS DIRECTIVE

Standard. Enterprise Architecture Dispensation. 1. Statement. 2. Scope. 3. Dispensation Requests QH-IMP : Approach

Information Governance Policy

PRINCIPLES FOR ACCESSING AND USING PUBLICLY-FUNDED DATA FOR HEALTH RESEARCH

Privacy Incident and Breach Management Policy

Reporting and Analytics Framework February 2014

WESTERN AUSTRALIAN GOVERNMENT OFFICE OF e GOVERNMENT IDENTITY & ACCESS MANAGEMENT FRAMEWORK PROJECT. Action Plan (Draft Final V2.

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES

The Protection and Security of Electronic Information Held by Australian Government Agencies

Transcription:

VICTORIAN GOVERNMENT CIO COUNCIL Victorian Government Identity and Access Management Identity and Access Management Standard Departments and agencies must use the identity and access management frameworks specified by the Australian Government in all identity and access management (IDAM) initiatives and ongoing lifecycle management. Keywords: IDAM, identity, access management, registration, authentication, authorisation, credentials, enrolment, identification, NeAF. Identifier: IDAM STD 01 Version no.: 1.0 Status: Final Issue date: 30 November 2013 Date of effect: 1 January 2014 Next review date: 1 July 2015 Authority: Victorian Government CIO Council Issuing authority: Victorian Government Chief Technology Advocate Exemptions Any exemptions to this standard must be reported to departmental / agency governance bodies. Except for any logos, emblems, trademarks and contents attributed to other parties, the policies, standards and guidelines of the Victorian Government CIO Council are licensed under the Creative Commons Attribution 3.0 Australia License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/au/

Requirement VICTORIAN GOVERNMENT CIO COUNCIL This standard, in alignment with the associated Victorian Government (VG) Information Security Policy and Standards, mandates the use of the identity and access management (IDAM) frameworks specified by the Australian Government, as adapted to Victorian requirements; and in particular, the National eauthentication Framework (NeAF), managed by the Australian Government Information Management Office (AGIMO.) This standard requires Departments and agencies (collectively referred to as agencies hereafter) to apply the NeAF framework to all IDAM initiatives and their associated IDAM lifecycle management, to determine the required level(s) of assurance for the IDAM initiative, and to determine the associated strength of registration and authentication to meet the required level of assurance. This includes reviewing all IDAM initiatives against the NeAF framework at times of IDAM system enhancement, modification, or extension of the user base, and regular ongoing monitoring of compliance against the framework and other related identity and access management policies, and standards. This standard is to be read and applied in conjunction with the associated IDAM STD 02-1 Strength of Registration for Staff, IDAM STD 02-2 Strength of Registration for Citizens & Organisations, IDAM STD 03 Strength of Authentication Mechanism and IDAM GUIDE 01 Identity and Access Management. Overview NeAF uses a risk management approach to determine the level of assurance (or trust) required before access is granted to systems and networks, the strength of registration and identification required to meet this level of assurance, and the strength of the authentication mechanism required to meet this level of assurance. NeAF also provides an overarching IDAM Framework, Lifecycle and High Level Architecture that cover the legal, policy, process and technology factors of identity and access management. (Refer to NeAF Better Practice Guide Volume 4 for further information.) Rationale The current VG Information Security Management Policy and associated standards are based primarily on riskbased Australian Government frameworks which have been adapted to VG requirements. They include the Protective Security Policy Framework (PSPF), managed by the Attorney-General s Department (AGD), insofar as it applies to Information and Communication Technology (ICT) information, people, processes and assets, and the Information Security Manual (ISM), managed by the Australian Signals Directorate (ASD). The PSPF directs agencies to use the NeAF to ensure they appropriately safeguard all official information to ensure confidentiality, integrity and availability by applying safeguards so that only authorised people, using Standard: Identity and Access Management (IDAM STD 01) v1.0 November 2013 / page 2

VICTORIAN GOVERNMENT CIO COUNCIL approved process, access information. It requires agencies to apply the NeAF in following three Information Security Mandatory Requirements: INFOSEC 4: for on-line transactions and services INFOSEC 5: to assess access requirements INFOSEC 6: for requirements of authentication techniques and policies Lifecycle management for IDAM Agencies must manage the full IDAM lifecycle in accordance with VG standards including generation, issuance, activation, suspension, revocation, re-issuance, etc., of credentials, and must put in place the people, processes and technology required to support this lifecycle management. Standard: Identity and Access Management (IDAM STD 01) v1.0 November 2013 / page 3

Derivation VICTORIAN GOVERNMENT CIO COUNCIL This standard is derived from SEC POL 01 Information Security Management Policy, which states in part that the VG will adopt Australian Government frameworks, including the PSPF, ISM and NeAF, where appropriate and practicable. Scope The use and adaptation of Victorian Government ICT policies, standards, guidelines and other supporting material is open to all, under the appropriate Creative Commons license of the document in question. Use of VG ICT policies and standards is mandated to: all VG departments Victoria Police VicRoads State Revenue Office Environment Protection Authority Public Transport Victoria Country Fire Authority State Emergency Services Ambulance Victoria Emergency Services Telecommunications Authority Metropolitan Fire and Emergency Services Board CenITex The policy applies to all VG IDAM activities, including but not limited to, users that are VG staff and external users of VG systems including consumers, citizens, customers, vendor/ service supplier staff, and (where relevant) the organisations they are associated with. Where applicable, legal and or regulatory compliance obligations take precedence over this policy and related standards. Agencies may have additional legal and or regulatory information protection compliance requirements. Examples include (but are not limited to) Victoria Police and the Commissioner for Law Enforcement Data Security (CLEDS), credit card processing contract obligations of the Payment Card Industry Data Security Standard (PCI DSS) and the Information Privacy Act 2000. Compliance Timing: From the date of effect on the front of the document. Reporting: Reporting of compliance with VG IDAM standards will be via the annual VG ISMF reporting as required by VG SEC STD 01. Standard: Identity and Access Management (IDAM STD 01) v1.0 November 2013 / page 4

Guidelines, toolkits and references NeAF: VICTORIAN GOVERNMENT CIO COUNCIL http://agimo.gov.au/policy-guides-procurement/authentication-and-identity-management/nationale-authentication-framework/ VG IDAM Policy and Standards http://digital.vic.gov.au/policies-standards-guidelines/identity-and-access-management/ VG Information Security Policy and Standards http://digital.vic.gov.au/policies-standards-guidelines/information-security/ Further information For further information regarding this standard, please contact the Department of State Development and Business Innovation, at digital.government@dsdbi.vic.gov.au Glossary Term AGD ASD Assurance Authentication IDAM Identification ISM NeAF PSPF Registration Staff Meaning (largely adapted from the NeAF Glossary) Auditor General s Department Australian Signals Directorate A process to confirm one of several security goals to protect information and information systems, including authentication, integrity, availability, confidentiality, and accountability. The process that delivers a Level of Assurance of the identity of an entity (person or organisation.) Identity and access management The process whereby identifiers are associated with a particular Identity. Australian Government Information Security Manual National e-authentication Framework Australian Government Protective Security Policy Framework The processes associated with the initial identification of, and allocation of an authentication credential to, a user. Employees (whether permanent or part-time) and people from other organisations who are engaged to perform duties for the Victorian government (e.g. temporaries, contractors, and consultants.) Standard: Identity and Access Management (IDAM STD 01) v1.0 November 2013 / page 5

VICTORIAN GOVERNMENT CIO COUNCIL Version history Version Date Details 0.1 21 February 2013 Draft 1 new Standard for review by ISAG IDAM subgroup 0.2 12 March 2013 Draft 2 to ISAG subgroup 0.3 20 March 2013 Draft 3 to wider ISAG 0.4 October 2013 Updates / clarification as per ISAG feedback 0.5 30 November 2013 Submission to CIO Council - final review dates and links 1.0 30 November 2013 Final submission to CIO Council Standard: Identity and Access Management (IDAM STD 01) v1.0 November 2013 / page 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information