Identity and Access Management Policy The Victorian Government will achieve consistent identity and access management across its departments and agencies through the implementation of a suite of standards. Keywords: Access management, identity management Identifier: IDAM POL 01 Version no.: 1.5 Status: Final Issue date: 30 November 2013 Date of effect: 1 January 2014 Next review date: 1 July 2015 Authority: Victorian Government CIO Council Issuing authority: Victorian Government Chief Technology Advocate Except for any logos, emblems, trademarks and contents attributed to other parties, the policies, standards and guidelines of the Victorian Government CIO Council are licensed under the Creative Commons Attribution 3.0 Australia License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/au/ Overview Policy objectives The objectives of this Victorian Government (VG) identity and access management policy are to: deliver a consistent risk-based approach to assessing identity and access management (IDAM) requirements; reduce the risk of inappropriate access, use or release of sensitive information; provide evidence where such release has occurred; support information sharing by providing for appropriate protection; and reduce the cost to agencies of IDAM by reducing duplication of effort. Policy statement The Victorian Government will achieve consistent identity and access management across its departments and agencies through the implementation of a suite of standards. Frameworks under which the policy will operate The set of IDAM policies, standards and guidelines are based primarily on three risk-based Australian Government frameworks which have been adapted to VG requirements: the Protective Security Policy Framework (PSPF), managed by the Attorney-General’s Department (AGD), insofar as it applies to Information and Communication Technology (ICT) information, people, processes and assets; the Information Security Manual (ISM), managed by the Australian Signals Directorate (ASD); and the National eAuthentication Framework (NeAF), managed by the Australian Government Information Management Office (AGIMO). Rationale The Commonwealth Attorney-General’s PSPF, as the basis of our Victorian Government Information Security Policy and Standards, directs agencies to use the NeAF to “…ensure they appropriately safeguard all official information to ensure confidentiality, integrity and availability by applying safeguards so that only authorised people, using approved process, access information.” It requires agencies to apply the NeAF in following three Information Security Mandatory Requirements: INFOSEC 4: for on-line transactions and services; INFOSEC 5: to assess access requirements; INFOSEC 6: for requirements of authentication techniques and policies; Scope The use and adaptation of VG ICT policies, standards, guidelines and other supporting material is open to all, under the appropriate Creative Commons license of the document in question. Use of VG ICT policies and standards is mandated to: all VG departments Victoria Police VicRoads State Revenue Office Environment Protection Authority Public Transport Victoria Country Fire Authority State Emergency Services Ambulance Victoria Emergency Services Telecommunications Authority Metropolitan Fire and Emergency Services Board CenITex The policy applies to all VG IDAM activities, including but not limited to, users that are VG staff and external users of VG systems including consumers, citizens, customers, vendor/ service supplier staff, and (where relevant) the organisations they are associated with. Where applicable, legal and or regulatory compliance obligations take precedence over this policy and related standards. Departments and agencies may have additional legal and or regulatory information protection compliance requirements. Examples include (but are not limited to) Victoria Police and the Commissioner for Law Enforcement Data Security (CLEDS), credit card processing contract obligations of the Payment Card Industry Data Security Standard (PCI DSS) and the Information Privacy Act 2000. Compliance Timing The date given at the head of this policy is when the policy comes into effect, not the date for implementing the supporting standards or achieving compliance with standards. Reference and toolkits Victorian Government information security policy and standards: http://www.enterprisesolutions.vic.gov.au/business-systems/information-security/ Australian Government Protective Security Policy Framework (PSPF): http://www.protectivesecurity.gov.au/Pages/default.aspx Australian Government Information Security Manual (ISM): http://www.dsd.gov.au/infosec/ism/index.htm Australian Government National eAuthentication Framework (NeAF): http://www.finance.gov.au/policy-guides-procurement/authentication-and-identitymanagement/national-e-authentication-framework/ Further information For further information regarding this standard, please contact enterprisesolutions@dpc.vic.gov.au. Glossary Term Access management AGD CIO ASD ICT ISM NeAF PSPF Staff Meaning The capability and processes that permit or deny access to systems, thus controlling the ability to read, modify or remove information. Auditor General’s Department Chief Information Officer Australian Signals Directorate Information and Communications Technology Australian Government Information Security Manual National eAuthentication Framework Australian Government Protective Security Policy Framework Employees (whether permanent or part-time) and people from other organisations who are engaged to perform duties for the Victorian government (e.g. temporaries, contractors, and consultants.) Version history Version 1.0 1.1 Date September 2006 December 2012 1.2 1.3 1.4 1.5 February 2013 12 March 2013 3 September 2013 30 November 2013 Details Final Review Draft 1 - Aligning to new template and policy and standards Review Draft 2 ISAG Subgroup – review draft 3 ISAG group final comments Submission to CIO Council