Systems Access Policy

Granting Specific Access

Todo

Requesting Additional Privileges

Todo

Periodic Access Review

Todo

Suspension of Inactive Accounts

An account suspension is triggered after 30 days of inactivity. A warning is sent 7 days prior and on the day of suspension.

This is in accordance to the Security Control 1404 of the Australian Government Information Security Manual (ISM) from the Australian Cyber Security Centre (ACSC).

Security Control: 1404; Revision: 2; Updated: Sep-19; Applicability: O, P, S, TS

Access to systems, applications and data repositories is removed or suspended after one month of inactivity.

This is also a requirement of control A.9.2.6, from the ISO 27001 standard.

ISO 27001: 9.2.6 Removal or adjustment of access rights

The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change.

Removal of Accounts during the Off-boarding Process

Accounts in the off-boarding processes are closely monitored and suspended as soon as a business purpose is no longer served. Accounts are deactivated during the off-boarding process and marked for removal at the conclusion of the off-boarding process. These accounts will be purged from the system automatically 30 days after removal.