Â鶹Éçmadou
MyIT

User Access Review

Welcome to the cyber security User Access Review (UAR) webpage where you can access information and services to help you understand, and if requested, participate in a UAR.

Personalise
MyIT Cyber security

Access Control - UAR

The University'sÌýCyber Security Policies and StandardsÌýrequire all access to University IT Services to be authorised, restricted based on need, and to be annually verified. Without periodic reviews of user access to applications, the University is at risk of unauthorised access, fraudulent activity, or confidentiality and privacy breaches.

°Õ³ó±ðÌýÌýoutlines the process, roles, and responsibilities for reviewing access and is a mandatory control required by theÌý. A UAR revalidates user accounts and access rights associated with IT services and assets.

A UAR cycle involves engagement and data collection, analysis, review (validation), remediation, and reporting.

Current UAR underway

View the applications in scope for the UAR cycle 2024.

  • Communications for aÌý2024 UARÌýwill be listed here.

    The following 2023 UAR messages supported the separate and direct email communications to targeted reviewers:

    Inside Â鶹Éçmadou news:

    • Ìý- announcing the upcoming 2023 UAR.
    • Ìý- a reminder to complete pending reviews.

    Viva Engage posts:Ìý

    • Ìýwith Business Owners (April)
    • Ìý(²Ñ²¹²â)
    • Ìý(´³³Ü²Ô±ð)
    • ÌýJoin a UAR Drop-In session (June)
    • Ìý- review closes soon (August)
    • Ìý(³§±ð±è³Ù±ð³¾²ú±ð°ù)

  • Applications targeted for aÌý2024 UAR cycleÌýwill be listed here.ÌýÌý

    • Applications in scope for the UAR cycle:Ìý

    Business OwnerÌýis a person with primary responsibility for the business or technology functions provided by one or more Â鶹ÉçmadouÌý Information Resources, including any associated cyber security risk. Note: The Business Owner of a Â鶹Éçmadou Information Resource may be in the Â鶹Éçmadou IT unit or any other Organisational unit.ÌýÌýExtract from the Cyber Security Standard - Identity and Access Management.

    61 applications were part of theÌý2023 UARÌýcycle:
    Application name Details Business Owner
    AC Lab System (ACLS MWAC Lab) Â鶹Éçmadou Biospecimen service. Carl Power
    Accept Online Future student admission system. Jason Dolan
    Active Directory (Privileged Access) A directory service for Windows enabling administrators to manage permissions and control access. Derek Winter
    Alliances CRM Alliances customer relationship management. Megan Tapia
    Alumni Experience Chatbot Alumni chatbot. Emily Barton
    ANZARD Data portal Australian & New Zealand Assisted Reproduction Database. Jade Newman
    ANZNN Data Portal Australian & New Zealand Neonatal Network Database. Sharon Chow
    Apply Online Student admission portal for non-UAC applicants. Jason Dolan
    Astra (Assessment Results) System to submit and process academic results. Jason Dolan
    Azure AD & Microsoft O365 Azure AD provisions single sign-on access. Microsoft O365 provides software, communication, and collaboration services. Mark Griffith
    BATS (Bequeathal and Tracking Systems) Management of anatomy donor details, tracking, and ethics. Pascal Carrive
    BookitLive Issues vouchers for clinic attendance. Belinda Parmenter
    Calumo Financial administration, budgeting, forecasting, and reporting system. Daniel Chew
    CASD IT Service Management Tool Request, incident, and problem management system. Mark Griffith
    Checkmarx Application security testing system. Derek Winter
    Course Planner - Syllabus Plus Academic timetabling management system. Jonathon Strauss
    CrowdStrike Managed detection and response service. Derek Winter
    Data Archives Research Research data archive. Grainne Moran
    Diligent Board Management system. James Fitzgibbon
    Echo 360 (Lecture Recording System) Lecture video recording. Dinesh Paikeday
    eMed Faculty of Medicine web-accessible curriculum management system for the undergraduate program. Gary Velan
    ERICA (E-Research Institutional Cloud Architecture) Provision of a secure cloud computing environment for research-sensitive data. Louisa Jorm
    Exam Scheduler - Syllabus Plus Management of examination timetables. Jonathon Strauss
    Figtree Workers compensation & injury management. Karl Baumgartner
    Gallagher (Cardax) Building access control system. Tara Murphy
    Genetec CCTV Closed circuit surveillance system. Tara Murphy
    GRIS (Graduate Research Information System) Higher Degree Research (HDR) candidature management and workflow administration system. Catherine Zell
    IBM Storage (Storage Area Network Management IBM ESS Storage) Management of storage subsystems. Mark Griffith
    ID Health Data Portal Intellectual disability regional health profile system. Julian Trollor
    InfoEd Research Grants Management System Research Grants Management System. Debbie Docherty
    Insight CRM Enterprise student customer relationship management system. Jason Dolan
    Inspera (Digital Assessment Platform) Online assessments and exam platform. Dinesh Paikeday
    Jaggaer (Chemical Inventory Management) Chemical inventory management system. Karl Baumgartner
    Katana Computation cluster supporting scientific computing needs of staff and postgraduates. Grainne Moran
    MidPoint Identity and access management system. Derek Winter
    Mobius Faculties of Science and Engineering web-based testing system. Jonathan Kress
    Moodle Learning management system. Dinesh Paikeday
    MyAccess Virtual application access to specialised applications for academics and students. Dinesh Paikeday
    MyÂ鶹Éçmadou Single online access point for Â鶹Éçmadou services and information for current staff and students. Jason Dolan
    NS Financials (New South Financials) Financial administration. Daniel Chew
    OpenSpecimen (Â鶹Éçmadou Biospecimen Services) Biospecimen management system. Anusha Hettiaratchi
    Physitrack Online exercise program. Belinda Parmenter
    PIMS (People Information Management System) Human resource and payroll management system. Pete Murray
    Raisers Edge Fundraising system targeting Alumni. Lindsay Robinson
    Ramaciotti Computer Cluster & CLIVE Genome sequencing technology system. Helena Mangs
    RAMS (Records and Archives Management System) Electronic documents and records management system. James Fitzgibbon
    REDCap (Research Electronic Data Capture) Electronic data capture platform. Grainne Moran
    ResGate (Research Gateway) Researcher profiles platform. Thomas Chow
    ResToolkit Research data management and storage system. Grainne Moran
    ROS (Research Output System) Capture and report on research publications and outputs. Fiona Bradley
    S4S Audit4 Clinical appointments and billing system. Belinda Parmenter
    SAM (Software Asset Management) Software asset management system. George Sideris
    SIMS (Student Information Management System) Student information. Jason Dolan
    StarRez (Accommodation Portal) Management of Â鶹Éçmadou-owned accommodation for students. Isabelle Creagh
    Thycotic PAM Privileged access management security system. Derek Winter
    Tivoli Backup Enterprise backup system. Mark Griffith
    UniHire A talent acquisition and recruitment system for staff and onboarding. Shaun Williams
    Â鶹Éçmadou Press - BC365 Business Central for Â鶹Éçmadou Press. David Bridge
    VARTA Data portal National Perinatal Epidemiology and Statistics Unit Data Portal. Jade Newman
    Whispir SMS notification service for campus major incidents. Tara Murphy
    Xetta (OneStop) Conferencing and events management system. Daniel Chew

    Ìý
    • To complete your review of accesses or view your past UAR cycles, open the MyUAR toolÌý
      by clicking on the image or enter:Ìý/Ìýinto your browser window.Ìý
    • Remember when making a review decision to submit your review before closing the browser window.Ìý
    1.Ìý Guides and FAQs
    • Ìý(guide).
    • .
    2.Ìý ÌýIT UAR team
    3.Ìý Feedback

    We welcome feedback via email toÌý
    cybersecurity-uar@unsw.edu.au.Ìý

  • The following are involved in a UAR cycle:

    Involved Responsible for
    Organisational Unit Heads Ensuring a formal process is in place to manage access rights associated with IT services and assets that are under the units' control.
    Business Owners

    Business OwnersÌýare responsible and accountable for:

    • Ensuring their applications are compliant, with theÌý, by completing the UAR. Business Owners may delegate this activity to the IT Service Owner, however, the Business Owner retains accountability.
    • Scheduling and conducting access control verifications on the applications they are responsible for, as well as being accountable for data collection.
    'Business Owner means a person with primary responsibility for the business or technology functions provided by one or more Â鶹Éçmadou Information Resources, including any associated cyber security risk. Note: The Business Owner of a Â鶹Éçmadou Information Resource may be in the Â鶹Éçmadou IT unit or any other organisational unit.'ÌýÌý
    Extract from the Cyber Security Standard - Identity and Access Management.
    Â鶹Éçmadou ManagersÌý
    (anyone with staff reporting to them, e.g., Supervisors)

    Â鶹Éçmadou Managers,Ìýanyone with staff reporting to them, e.g., Supervisors, areÌýresponsible for:

    • Ensuring their staff access is validated by completing the UAR. Managers may delegate the review activity; however, it is not permitted to delegate a user's access review to the user themselves. In the case of missing manager or supervisor information, the access must be reviewed by the Business Owner.
    • Providing, reviewing, and/or removing accounts and/or access for their direct reports.
    • Keeping staff up to date on any changes to account access levels.
    • Acting as an escalation point for action where they are the Manager Once Removed (MoR).
    IT Service Owners
    (IT System Owner)

    IT Service Owners are responsible for:

    • Assisting Business Owners by providing user access lists for the applications they are responsible for.

    'Information Service OwnerÌýmeans the person responsible for defining, operating, measuring, and improving a Â鶹Éçmadou Information Service and associated cyber security controls. Also known as System OwnerÌýor IT Service Owner.'
    Extract from the Cyber Security Standard - Identity and Access Management.
    Â鶹Éçmadou IT Cyber SecurityÌýUAR team Oversee the facilitation of a UAR cycle to ensure compliance with Cyber Security Policies and Standards.

    Important:

    • When conducting the review, reviewers (Business Owners, Â鶹Éçmadou Managers/Supervisors, or their delegates)Ìýare advised to consider that staff may have more than one role across the University, and as a result, it is vital they keep staff informed of any changes as a result of their review.
    • Reporting lineÌýdetails for staff have been captured from University HR systems at a point in time. Where Managers identify incorrect reporting relationships as part of this review, they are requested to update details viaÌýÌýor contact theÌýÌýfor assistance.
    • There is no immediate action required by staff using applications under review. Any questions about access should be directed to their manager/supervisor.
    • Communications will be sent from the Cyber Security UAR mailbox directly to involved Business Owners and reviewers (Â鶹Éçmadou Managers/Supervisors) by the Cyber Security UAR Team.
    • For full details refer to theÌý.
  • User account/ access type Action Duration Escalation
    (and duration)
    Reviewer:ÌýBusiness Owner
    Privileged accounts
    • Re-validation of access, or
    • Deletion or de-activation of account

    Note: Delegate can be an IT Service Owner. Privileged accounts certified by the delegate, must then be re-certified by the Business Owner.

    		 15 working days

    Manager once removed (MoR)

    (10 working days)
    Elevated accounts
    (IT related)
    • Re-validation of access, or
    • Deletion or de-activation of account.

    Note: Delegate can be an IT Service Owner. Elevated access certified by the delegate must then be re-certified by the Business Owner.
    Elevated accounts
    (Business function-related)
    • Re-validation of access, or
    • Deletion or de-activation of account

    Note: Delegate can complete the review.
    Reviewer:ÌýÂ鶹Éçmadou ManagerÌý(of staff)
    Standard user account
    • Re-validation of access, or
    • Deletion or de-activation of account

    Note: Delegate can complete the review.

    		 15 working days

    Manager once removed (MOR)

    (10 working days)

    Ìý

    Important

    • Where an assigned UAR has not been completed in 15 working days by the reviewer (Business Owner or Â鶹Éçmadou Manager/Supervisor, or their delegate), theÌýManager once removed (MoR),Ìýof the user or account concerned, will be required to complete the UAR in 10 working days.
    • Reporting lineÌýdetails for staff (accounts) are sourced, at a point in time, from information in HR systems. To ensure this information is accurate, Managers/Supervisors should review their staff reporting details viaÌýÌýor contact theÌýÌýfor assistance.
    • For full details refer to theÌý

Past UARs

Completed UARs are summarised below. Official UAR Reports are provided to Business Owners and are confidential. The reports are accessible to internal and external auditors as well as for management reporting. Requests for official UAR Reports are to be made directly to the respective Business Owner.

  • From April to September 2023, an annual User Access Review cycle was completed for 61 University applications. Thirty-four Business Owners and 2,335 Managers/Supervisors and/or delegates (of staff) reviewed 63,709 access permissions pertaining to a total of 18,697 accounts. As a result, 90 percent of the access was certified and retained with 8 percent revoked. Refer to theÌýUAR 2023 summaryÌýfor details per application.
    Ìý

  • From March to October 2022, an inaugural User Access Review cycle was completed. The annual user access review targeted 21 University applications. Thirteen Business Owners and 1,550 Managers/Supervisors and/or delegates (of staff) reviewed 39,973 access permissions pertaining to a total of 13,427 accounts. As a result, 86 percent of the access was certified and retained with 11 percent revoked. Refer to theÌýUAR 2022 Summary (PDF, 208KB)Ìýto learn more about the applications and survey feedback.
    Ìý

Reporting cyber incidents

It is important to report any cyber security incidents as quickly as possible so that Â鶹Éçmadou IT’s Cyber Security team can address any issues and mitigate risk exposure.

What should I report?

  • Suspecting your computer or account has been compromised.
  • Having evidence on how technology or University data may be vulnerable.
  • Noticing a colleague inappropriately sharing Highly Sensitive or Sensitive data.
  • Losing a University asset containing sensitive information.

Report a cyber security incident by calling the Â鶹Éçmadou IT Service Centre on 02 9385 1333 or using the link below.

Cyber security is everyone’s responsibility and by learning a few rules, simple steps, and following guidelines, we can protect ourselves and our University from cyber security threats and keep data safe. Go to Cyber Security Training and AwarenessÌýfor more information.
Ìý