ICT Access Control - Operational Policy | UniSC | University of the Sunshine Coast, Queensland, Australia

Accessibility links

Non-production environment - https://edittrain.usc.edu.au

ICT Access Control - Operational Policy

1. Purpose of policy

This policy defines client access to Information and Communication Technology (ICT) resources at the University, the periods of eligibility for this access and the types of resources that are to be accessible by each client.

2. Policy scope and application

This policy applies to all University clients including staff, students and other clients who, based on their relationship with the University, need access granted to University ICT resources.

Access to ICT systems that are identified as restricted within the ICT Security - Managerial Policy is subject to System Owner authorisation and procedures. Base level access as described in this policy is a prerequisite to gaining access to these restricted systems but the individual System Owners will determine the eligibility for access and the rules for provisioning. While references to these restricted systems are made within this document, refer to the ‘User Management Procedures’ for further details of each restricted system.

3. Definitions

Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to this policy and are critical to its effectiveness:

Provisioning means the provision of access to various ICT facilities to eligible individuals, as well as the removal of this access when eligibility lapses.

Three base levels of provisioning are identified:

  • Limited Access to the University’s self service web systems USC Central or USC Staff
  • Student Access to web systems, student email, network drives, Student workstations and on-campus Internet access, as appropriate for students to facilitate their study
  • Staff Access to web systems, the USC Portal, an email account, network drives, USC Staff and Student workstations and on-campus Internet access, as appropriate for staff to perform their duties.

Staff are defined as individuals who hold an active employment contract with the university and are present in the University’s Human Resources and Payroll System. Note: for the purpose of provisioning an individual who has recently had an active employment contract may also be considered as a staff member for a brief period after this contract has lapsed.

A Student is defined as an individual who is currently enrolled in a program at UniSC. However, where explicitly stated, student may include an applicant to the University, a student on a leave of absence, or a former student (alumni) who has completed their program and are present in the University’s Student Information System.

An Affiliate is defined as an individual who has a bonafide relationship with the University for which approval has been gained to offer access to various ICT resources.

An Affiliation is defined as a group of affiliates linked by predefined eligibility criteria who have a bona fide relationship with the University requiring access to University ICT resources.

4. Principles

The University's information technology environment is dynamic, characterised by openness, creativity and free sharing of information, to the greater benefit of universities generally.

While facilitating this free and open environment Information Technology must adhere to various state and federal legislative requirements regarding information security and privacy and strive to be consistent with the Queensland Government’s Information Standard IS18 and the ISO/IEC 27001 standard. Information Technology must also effectively manage the University’s investment in Information Technology.

For these reasons criteria must be established for the provisioning of services to the University community and procedures put in place for the effective management of this provisioning.

4.1 Staff provisioning

For the purpose of determining the rules for the provisioning of Information Technology resources and to ensure timely access to necessary resources staff are categorised into 3 groups:

a) Ongoing and Fixed-term Staff
b) Casual Professional staff
c) Casual Academic staff.

4.1.1 Ongoing and Fixed-Term staff: The provisioning of Information Technology resources will commence from the date an employment contract is received and entered into the HR/Payroll System, to a maximum of 7 calendar days prior to the official employment commencement date.

De-provisioning of Information Technology resources will become affective from the day following their official employment termination date.

4.1.2 Casual Professional Staff: The provisioning of Information Technology resources will commence from the date an employment contract is received and entered into the HR/Payroll System, to a maximum of 7 calendar days prior to the official employment commencement date.

De-provisioning of Information Technology resources will become effective on the day following the official pay day when the staff member has not received wages payment for eight consecutive pay periods (i.e. fortnights).

4.1.3 Casual Academic Staff: The provisioning of Information Technology resources will commence from the date an employment contract is received and entered into the HR/Payroll System, to a maximum of 30 calendar days prior to the official employment commencement date.

De-provisioning of Information Technology resources and deletion of stored data for casual Academic staff will be delayed for a period of 4 calendar months after their official employment termination date.

Casual Academic staff can request an extension beyond four months, with the approval of a Head of School or Cost Centre Manager. In all cases an application for extension must be received prior to the de-provisioning date and must provide an alternative de-provisioning date not extending beyond 12 months from the official termination date.

4.1.4 General conditions

Employment contracts are cumulative and staff will only be de-provisioned where they have no other current employment with the University or subject to any provisioning conditions inherent with another employment contract.

Subject to University policies on Intellectual Property and Copyright, terminating staff are responsible for retrieving copies of any data they wish to retain prior to their termination date. Data generated or stored in either the network drives or email system remains the property of the University. Supervisors of a terminating staff member who believes this data could be of benefit to the University can request access to this data by notifying Information Technology within 14 days of the staff member’s termination date. After this date, personal data will be processed in a manner consistent with the University’s Information Management Framework – Governing Policy and future recovery may not be possible.

Certain groups of staff who have been identified as not requiring access to email and portal facilities, subject to the relevant cost centre manager’s approval, will be provided a Limited Access account (e.g. Events & Catering Casual staff and Practical Teaching Mentors & Coordinators). All other staff will be provided a full Staff Access account.

The de-provisioning of access to restricted Systems, including corporate applications, may commence earlier than the timeframes outlined above as determined by the relevant System Owners.


4.2 Student provisioning

For the purpose of determining the most appropriate rules for the provisioning of Information Technology resources, students are categorised into two groups:- Current Students and non-active students. This latter category includes applicants, alumni and students who have had some interruption to study (i.e. leave of absence, abandonment or have faltered in attaining any qualifications.)

4.2.1 The student lifecycle

When a potential student expresses an intent to study at the university (either through QTAC or directly) they are entered into the Student Information System. The student is then tracked within the Student Information System and subject to the conditions set by the Academic Board, status information is applied to each student’s record. The status changes recorded in the Student Information System then determines the level of Information Technology access with which they are provisioned.

When the University agrees to make a potential student an offer to commence study they are provided a Limited Access account allowing them to use our USC Central web system for the purpose of accepting that offer and enrolling.

When that potential student accepts this offer they are provided a full Student Access account. This provides a student email account, network drive space, and access to the Internet, all subject to a quota system tailored to the particular career they have chosen. They also gain access to printing and Library facilities.

Note: access to the USC Portal and Learning Management System is subject to a student’s enrolment into courses with separate eligibility conditions as determined by the System Owner of the Learning Management System.

If a student is excluded (failed to meet academic requirements), Voluntarily Discontinues or Abandons their studies, access reverts back to Limited Access 30 days after the end of the semester or session in which they were last enrolled.

If a student is expelled, access reverts back to Limited Access from the day after the effective date of this expulsion.

When a student completes their program, access will revert back to Limited Access 30 days after their date of completion. Students studying for a Higher Degree by Research may request an extension beyond this date with the approval of the Director, Office of Research.

Students who have successfully completed a program are flagged for the provisioning of Systems specifically targeted for alumni, as determined by the relevant System Owners and their credentials will remain active indefinitely for this purpose.

4.2.2 General conditions

Subject to University policies on Intellectual Property and Copyright, students are responsible for retrieving copies of any data they wish to retain prior to reverting back to a Limited Access account. After this date, personal data will be processed in a manner consistent with the University’s Information Management Framework – Governing Policy and future recovery may not be possible.

4.3 Affiliate provisioning

The process for approval for affiliations is described below.

A person wishing to gain access to Information Technology resources for one or more persons not covered in previously established affiliations must apply for the establishment of such an affiliation from a Director, Information Technology.

This application must include details such as:

  • the purpose for which this affiliation should be established
  • the rules for eligibility for membership to this affiliation
  • the details of the Information Technology resources required by this affiliation
  • list of approved sponsors responsible for authorising membership
  • authorisation from the relevant Head of School or Cost Centre Manager.

Director, Information Technology will be responsible for the approval of such affiliation requests.

All membership to these affiliations will be for a fixed term not exceeding 12 months. Applications for continued membership will be required each year in order to ensure continued access.

Each affiliate will require sponsorship from a Cost Centre Manager approved staff member who will be responsible for authorising membership and liaising between Information Technology and the affiliate.

Each affiliate must provide current contact details and sufficient personal information in order to provide unique identification. (Note: Where the University provides on-campus internet access it must be able to provide positive identification and current contact details for each user under various state and federal Internet Service Provider Legislation.)

5. End user responsibility

All members of the University who have been provisioned with Information Technology Resources will be bound by the various ICT policies and related University Policies regarding their use. Particular reference is made to adherence to the Acceptable Use of ICT Resources – Governing Policy, as well as the Staff Code of Conduct – Governing Policy and the Student Conduct – Governing Policy.

END