Identity and Access Management
Policy
The Victorian Government will achieve consistent identity and access management across its
departments and agencies through the implementation of a suite of standards.
Keywords:
Access management, identity management
Identifier:
IDAM POL 01
Version no.:
1.5
Status:
Final
Issue date:
30 November 2013
Date of effect:
1 January 2014
Next review date:
1 July 2015
Authority:
Victorian Government CIO Council
Issuing authority:
Victorian Government Chief Technology
Advocate
Except for any logos, emblems, trademarks and contents attributed to other parties, the policies, standards and
guidelines of the Victorian Government CIO Council are licensed under the Creative Commons Attribution 3.0
Australia License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/au/
Overview
Policy objectives
The objectives of this Victorian Government (VG) identity and access management policy are to:





deliver a consistent risk-based approach to assessing identity and access management (IDAM)
requirements;
reduce the risk of inappropriate access, use or release of sensitive information;
provide evidence where such release has occurred;
support information sharing by providing for appropriate protection; and
reduce the cost to agencies of IDAM by reducing duplication of effort.
Policy statement
The Victorian Government will achieve consistent identity and access management across its
departments and agencies through the implementation of a suite of standards.
Frameworks under which the policy will operate
The set of IDAM policies, standards and guidelines are based primarily on three risk-based Australian
Government frameworks which have been adapted to VG requirements:



the Protective Security Policy Framework (PSPF), managed by the Attorney-General’s
Department (AGD), insofar as it applies to Information and Communication Technology (ICT)
information, people, processes and assets;
the Information Security Manual (ISM), managed by the Australian Signals Directorate (ASD);
and
the National eAuthentication Framework (NeAF), managed by the Australian Government
Information Management Office (AGIMO).
Rationale
The Commonwealth Attorney-General’s PSPF, as the basis of our Victorian Government Information
Security Policy and Standards, directs agencies to use the NeAF to “…ensure they appropriately
safeguard all official information to ensure confidentiality, integrity and availability by applying
safeguards so that only authorised people, using approved process, access information.” It requires
agencies to apply the NeAF in following three Information Security Mandatory Requirements:



INFOSEC 4: for on-line transactions and services;
INFOSEC 5: to assess access requirements;
INFOSEC 6: for requirements of authentication techniques and policies;
Scope
The use and adaptation of VG ICT policies, standards, guidelines and other supporting material is open
to all, under the appropriate Creative Commons license of the document in question.
Use of VG ICT policies and standards is mandated to:












all VG departments
Victoria Police
VicRoads
State Revenue Office
Environment Protection Authority
Public Transport Victoria
Country Fire Authority
State Emergency Services
Ambulance Victoria
Emergency Services Telecommunications Authority
Metropolitan Fire and Emergency Services Board
CenITex
The policy applies to all VG IDAM activities, including but not limited to, users that are VG staff and
external users of VG systems including consumers, citizens, customers, vendor/ service supplier staff,
and (where relevant) the organisations they are associated with.
Where applicable, legal and or regulatory compliance obligations take precedence over this policy and
related standards. Departments and agencies may have additional legal and or regulatory information
protection compliance requirements. Examples include (but are not limited to) Victoria Police and the
Commissioner for Law Enforcement Data Security (CLEDS), credit card processing contract obligations
of the Payment Card Industry Data Security Standard (PCI DSS) and the Information Privacy Act 2000.
Compliance
Timing
The date given at the head of this policy is when the policy comes into effect, not the date for
implementing the supporting standards or achieving compliance with standards.
Reference and toolkits
Victorian Government information security policy and standards:

http://www.enterprisesolutions.vic.gov.au/business-systems/information-security/
Australian Government Protective Security Policy Framework (PSPF):

http://www.protectivesecurity.gov.au/Pages/default.aspx
Australian Government Information Security Manual (ISM):

http://www.dsd.gov.au/infosec/ism/index.htm
Australian Government National eAuthentication Framework (NeAF):

http://www.finance.gov.au/policy-guides-procurement/authentication-and-identitymanagement/national-e-authentication-framework/
Further information
For further information regarding this standard, please contact enterprisesolutions@dpc.vic.gov.au.
Glossary
Term
Access management
AGD
CIO
ASD
ICT
ISM
NeAF
PSPF
Staff
Meaning
The capability and processes that permit or deny access to systems, thus
controlling the ability to read, modify or remove information.
Auditor General’s Department
Chief Information Officer
Australian Signals Directorate
Information and Communications Technology
Australian Government Information Security Manual
National eAuthentication Framework
Australian Government Protective Security Policy Framework
Employees (whether permanent or part-time) and people from other
organisations who are engaged to perform duties for the Victorian government
(e.g. temporaries, contractors, and consultants.)
Version history
Version
1.0
1.1
Date
September 2006
December 2012
1.2
1.3
1.4
1.5
February 2013
12 March 2013
3 September 2013
30 November 2013
Details
Final
Review Draft 1 - Aligning to new template and policy and
standards
Review Draft 2
ISAG Subgroup – review draft 3
ISAG group final comments
Submission to CIO Council