IFM-PR-010: Managing Electronic Identities and Identity Management

• Education (General Provisions) Act 2006 (Qld) Sections 426 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/E/EducGenPrA06.pdf
• Public Records Act 2002 (Qld) Section 8 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/P/PublicRecA02.pdf
• Information Privacy Act 2009 (Qld) Chapter 2 Section 27 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/R/RightInfoA09.pdf
• Child Care Act 2002 (Qld) Section 167 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/C/ChildCareA02.pdf
• Child Protection Act 1999 (Qld) Chapter 5A 4 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/C/ChildProtectA99.pdf
• Vocational Education Training and Employment Act 2000 (Qld) Section 286 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/V/VocEdTrEmA00.pdf

• Information Standard 18 (IS18): Information Security - Principle 7 http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
• Information Standard 40 (IS40): Recordkeeping - Principle 7 http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
• Information Standard 38 (IS38): Use of ICT Facilities and Devices - Principle 1 http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/Use%20of%20ICT%20facilities%20and%20devices.aspx

• IFM-PR-002: Information Ownership and Data Custodianship /strategic/eppr/information/ifmpr002/
• IFM-PR-003: Classification and Handling of Information Assets /strategic/eppr/information/ifmpr003/
• ICT-PR-004: Using the Department's Corporate ICT Network /strategic/eppr/ict/ictpr004/
• IFM-PR-006: Maintaining the Security of Department Information and Systems /strategic/eppr/information/ifmpr006/
• IFM-PR-008: Managing the Department's Records /strategic/eppr/information/ifmpr008/
• SMS-PR-019: Mature Aged students /strategic/eppr/students/smspr019/
• SMS-PR-021: Safe, Supportive and Disciplined School Environment /strategic/eppr/students/smspr021/
• SMS-PR-027: Enrolment in State Primary, Secondary and Special Schools /strategic/eppr/students/smspr027/

Statement of intent

The Department of Education and Training encourages access to its information resources, provided security measures are in place to limit access to restricted (unclassified, in confidence, protected and highly protected) information to authorised persons.

IFM-PR-010: Managing Electronic Identities and Identity Management applies to all departmental business units, including schools, TAFEs, corporate and regional offices. It is considered that TAFEs and those that have become statutory authorities would benefit from adopting consistent management practices for identity and access management.

The department will provide secure access to information in departmental business systems to authorised users through the provision of electronic identities. Electronic identities may be provided to:

• enrolled students
• staff members and contractors who have been duly identified and authorised by the department
• responsible adults who have been identified, and, who have been verified as having one or more students enrolled in a state school/institute, and, who have demonstrated a need for an electronic identity which has been confirmed by the school/institute
• representatives of external organisations who have a legitimate role with the department, for example school chaplain, guidance officer, youth worker.

Access to classified information is only provided to users who have a legitimate business need and who have undergone the correct authentication process. This access and use will be managed and monitored in accordance with ICT-PR-004: Using the Department's Corporate ICT Network for schools, students and departmental staff and in accordance with the student rules applicable to TAFE Institute .

The required level of access control to information is determined by the security classification of that information as detailed in IFM-PR-003: Classification and Handling of Information Assets.

Electronic identities will be:

• managed through their complete lifecycle from registration, activation, maintenance, deactivation and deletion
• registered and logged in accordance with the Registration Framework, departmental policies and legislative requirements to enable compliance, monitoring and verification
• maintained as a central store, but copies of these identities may also be stored in other locations as required
• managed to ensure consistency and accuracy of identity data. Authorised users will be able to review and update defined attributes of electronic identities. Changes to an electronic identity will be logged and monitored.
• managed for students in accordance with enrolment records
• deactivated for employees upon the employee being seconded, dismissed, suspended or resigning
• deactivated for external users when the need for access no longer exists.

Student and staff members' safety will be maintained by minimising the risk of access by unauthorised users to personal and sensitive information.

Access to personal information should comply with the provisions of the Information Privacy Act 2009 (Qld) , Education (General Provisions) Act 2006 (Qld) s426 , Child Care Act 2002 (Qld) s167 , and the Vocational Education Training and Employment Act 2000 (Qld) s286 .

Responsibilities

• oversees development and implementation of the department's electronic identities framework of related policies, procedures and practices
• approves IFM-PR-010: Managing Electronic Identities and Identity Management and any subsequent reviews, amendments or associated departmental guidelines developed to implement this policy.
  

• provide advice and direction to system administrators regarding the management of the electronic identities within their own business system. This will be on an ongoing basis in accordance with this policy and include facilitating users' access to data and ensuring that there are appropriate access control mechanisms in place commensurate with information classification levels.
• define and classify data with respect to exposure and access in accordance with IFM-PR-003: Classification and Handling of Information Assets
• identify users, their roles and level of information access in accordance with any relevant documentation
• authorise this access and register according to Registration of Electronic Identities
• conduct a risk assessment of consequences of unauthorised access to information within the business system
• approve the use of Generic Accounts. This approval should be in accordance with a document such as a business case that includes a security risk analysis.
  NOTE: The use of generic account/s should be kept to a minimum with strict and proper procedures of use first established and agreed upon.
• specify information requirements for specific data entities
• delegate custodianship responsibilities to a relevant staff member
• determine registration level required for each user and credentials they require to access the business system in accordance with the Identity Authentication Assurance Levels and Verification and Evidence of Identity 82k extracted from the Queensland Government Authentication Framework (QGAF)
  NOTE: The location of a user while accessing departmental business systems e.g. staff members accessing a business system from desks in central office or district office may require a lower level of authentication than same officer accessing the same system from home or while mobile.
• ensure user access application forms for Business Systems include a privacy statement
• protect electronic identities for users, including students enrolled in schools who have become subject to legal orders, including but not limited to child protection orders, such that only authorised staff (e.g. Principal or delegate) have access.
  

• manage directories including changes to directories, security and data back-up and storage of directories
• as directed by relevant business system owners, manage user directories and processes for allocating and resetting passwords user access
• implement logging and relevant internal controls
• register users in accordance with Identity Authentication Assurance Levels and Verification and Evidence of Identity 82k provisions as aligned with the Queensland Government Authentication Framework (QGAF) ensure that user accounts for business system/s in schools and institutes match student enrolments
• manage change access rights whenever a user's role changes in accordance with the business systems security requirements with Management of Electronic Identities
• ensure identity directories meet business requirements specified by the Business System Owner
• ensure directory data held within the business system is managed and retained in accordance with IFM-PR-008: Managing the Department's Records
• ensure appropriate security mechanisms are in place to protect data from unauthorised access or modification, or accidental loss or corruption
• ensure appropriate logging and monitoring mechanisms and processes exist that are commensurate with the information classification level.
  

• ensure system administration occurs in accordance with the provisions of this policy where delegation has been given to system administrators for the management of staff and student electronic identities within Institutes and Schools
• ensure that staff members maintain the directories where current details of themselves are provided, for example, employee telephone directory, and contact details on public documents
• ensure that where personal statements are used, personal particulars are verified
• ensure that all forms used to collect information from Users include a privacy statement. This includes user application forms.
• ensure that an employee's access is cancelled in the event that an employee has resigned or been seconded, dismissed or suspended
• undertake a risk assessment in accordance with FNM-PR-021: Assessing Risk using the Risk Matrix and Risk Categories:
  • to determine the need for continuation of an employee's account (e.g. where the role of an employee changes). Consideration for deactivation of an account should include such elements as job tenure (permanent or temporary), inter-agency transfer extended leave and resignation.
  • to determine the need to deactivate a student's account during vacation periods. The risk assessment should consider a student's education/training outcomes, where accounts are to remain active (e.g. to access job notices) following a student's completion of all course requirements the risk assessment should consider the need and circumstances for access against network protection.
  • for managing electronic identities such as continuation or deactivation of an account
  • to determine whether a year 12 students' access should be deactivated upon completion of schooling, where accounts are to remain active (e.g. to access job notices) following a student's completion of all course requirements the risk assessment should consider the need and circumstances for access against network protection.
• advise System Administrators through approved change management procedures when staff commence duty, change their name and/or personal details, or leave the department
• inform Business System Owners through approved procedures when staff members should be deactivated for unacceptable use of business systems
• ensure that staff and students adhere to password and security requirements of the business system in use
• ensure that information about identities under protection orders is classified as highly protected and access is restricted in accordance with IFM-PR-003: Classification and Handling of Information Assets.
  

• advise Managed Internet Services (MIS) administrators to deactivate students who have left school
• ensure that enrolment procedures for students and mature age students conform to this policy
• manage deactivation of student's accounts that have been suspended or excluded within the requirements of SMS-PR-021: Safe, Supportive and Disciplined School Environment
• approve deactivation where considered appropriate for unacceptable use of business systems and inform system administrators to deactivate students/staff as required in line with ICT-PR-004: Using the Department's Corporate ICT Network
• inform system administrators through approved procedures to deactivate a student when their enrolment is cancelled
• ensure mature age students have current Positive Notices prior to enrolment in accordance with SMS-PR-019: Mature Aged Students.
  

• advise Managed Internet Services (MIS) administrators to deactivate students who have left school
• ensure that enrolment procedures for students and mature age students conform to this policy
• manage deactivation of student's accounts that have been suspended or excluded within the requirements of SMS-PR-021: Safe, Supportive and Disciplined School Environment
• approve deactivation where considered appropriate for unacceptable use of business systems and inform system administrators to deactivate students/staff as required in line with ICT-PR-004: Using the Department's Corporate ICT Network
• inform system administrators through approved procedures to deactivate a student when their enrolment is cancelled
• ensure mature age students have current Positive Notices prior to enrolment in accordance with SMS-PR-019: Mature Aged Students.
  

• incorporate in the strategic audit plan (3 year cycle) compliance of existing business systems and those under development to:
  • ensure regular reviews of electronic identities are undertaken by responsible officers to ensure they are managed in accordance with departmental policies and legislative requirements
  • ensure regular reviews of logs of electronic identities are undertaken by responsible officers to analyse registrations, changes and deactivations
  • review change management procedures for electronic identities
  • provide implementation advice and guidance on Queensland Government Authentication Framework (QGAF) including Identity Authentication Assurance Levels (IAAL)
    NOTE: This function may be provided by Internal Audit or DET ICT Security staff.
    

• provide advice on intellectual property, copyright and privacy issues, in relation to the operation of this policy.

• ensure requests for verifying and registering new employees are processed promptly
• ensure accuracy of staff information on the department's Human Resources Management Information System (e.g. HRMIS) as the prime source of identity information for all staff
• maintain details (for schools) of teachers and their registration numbers and validate this against data received from Queensland College of Teachers
• inform school principals and other relevant officers of any discrepancies, in particular those teachers who are no longer registered
• maintain details of non-teaching staff including their blue card numbers and process this against data received from the agency responsible for issuing blue cards
• inform Principals, Institute Directors and other relevant officers of any discrepancies, in particular those staff members who are no longer registered.
  

Forms

• Not Applicable

• Australian Government Information Security Manual

Other relevant documents

• Definitions/strategic/eppr/information/ifmpr010/definitions.html
• Identity Authentication Assurance Levels and Verification of Identity 82k/strategic/eppr/information/ifmpr010/iaals.pdf
• Management of Electronic Identities/strategic/eppr/information/ifmpr010/manageei.html
• Registration of Electronic Indentities/strategic/eppr/information/ifmpr010/regei.html
• Queensland Government Information Security Classification Framework http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/qgea2.0/Pages/azqgeadocs.aspx
• Queensland Government Authentication Framework http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/qgea2.0/Pages/azqgeadocs.aspx

Contacts

For information about managing electronic identities, contact:

• IFM-PR-001: Identity Management - Security - Version: 1.0
• IFM-PR-004: Management of Electronic Identities - Version: 1.0
• IFM-PR-010: Managing Electronic Identities and Identity Management - Version: 1.0