User Access Review
Welcome to the cyber security User Access Review (UAR) webpage where you can access information and services to help you understand, and if requested, participate in a UAR.
Access Control - UAR
The University'sÌýCyber Security Policies and StandardsÌýrequire all access to University IT Services to be authorised, restricted based on need, and to be annually verified. Without periodic reviews of user access to applications, the University is at risk of unauthorised access, fraudulent activity, or confidentiality and privacy breaches.
°Õ³ó±ðÌýÌýoutlines the process, roles, and responsibilities for reviewing access and is a mandatory control required by theÌý. A UAR revalidates user accounts and access rights associated with IT services and assets.
A UAR cycle involves engagement and data collection, analysis, review (validation), remediation, and reporting.
Current UAR underway
View the applications in scope for the UAR cycle 2024.
-
Communications for aÌý2024 UARÌýwill be listed here.
The following 2023 UAR messages supported the separate and direct email communications to targeted reviewers:Inside UNSW news:
- Ìý- announcing the upcoming 2023 UAR.
- Ìý- a reminder to complete pending reviews.
Viva Engage posts:Ìý
- Ìýwith Business Owners (April)
- Ìý(²Ñ²¹²â)
- Ìý(´³³Ü²Ô±ð)
- ÌýJoin a UAR Drop-In session (June)
- Ìý- review closes soon (August)
- Ìý(³§±ð±è³Ù±ð³¾²ú±ð°ù)
-
Applications targeted for aÌý2024 UAR cycleÌýwill be listed here.ÌýÌý
- Applications in scope for the UAR cycle:Ìý
Business OwnerÌýis a person with primary responsibility for the business or technology functions provided by one or more UNSWÌý Information Resources, including any associated cyber security risk. Note: The Business Owner of a UNSW Information Resource may be in the UNSW IT unit or any other Organisational unit.ÌýÌýExtract from the Cyber Security Standard - Identity and Access Management.
61 applications were part of theÌý2023 UARÌýcycle:
Application name Details Business Owner AC Lab System (ACLS MWAC Lab) UNSW Biospecimen service. Carl Power Accept Online Future student admission system. Jason Dolan Active Directory (Privileged Access) A directory service for Windows enabling administrators to manage permissions and control access. Derek Winter Alliances CRM Alliances customer relationship management. Megan Tapia Alumni Experience Chatbot Alumni chatbot. Emily Barton ANZARD Data portal Australian & New Zealand Assisted Reproduction Database. Jade Newman ANZNN Data Portal Australian & New Zealand Neonatal Network Database. Sharon Chow Apply Online Student admission portal for non-UAC applicants. Jason Dolan Astra (Assessment Results) System to submit and process academic results. Jason Dolan Azure AD & Microsoft O365 Azure AD provisions single sign-on access. Microsoft O365 provides software, communication, and collaboration services. Mark Griffith BATS (Bequeathal and Tracking Systems) Management of anatomy donor details, tracking, and ethics. Pascal Carrive BookitLive Issues vouchers for clinic attendance. Belinda Parmenter Calumo Financial administration, budgeting, forecasting, and reporting system. Daniel Chew CASD IT Service Management Tool Request, incident, and problem management system. Mark Griffith Checkmarx Application security testing system. Derek Winter Course Planner - Syllabus Plus Academic timetabling management system. Jonathon Strauss CrowdStrike Managed detection and response service. Derek Winter Data Archives Research Research data archive. Grainne Moran Diligent Board Management system. James Fitzgibbon Echo 360 (Lecture Recording System) Lecture video recording. Dinesh Paikeday eMed Faculty of Medicine web-accessible curriculum management system for the undergraduate program. Gary Velan ERICA (E-Research Institutional Cloud Architecture) Provision of a secure cloud computing environment for research-sensitive data. Louisa Jorm Exam Scheduler - Syllabus Plus Management of examination timetables. Jonathon Strauss Figtree Workers compensation & injury management. Karl Baumgartner Gallagher (Cardax) Building access control system. Tara Murphy Genetec CCTV Closed circuit surveillance system. Tara Murphy GRIS (Graduate Research Information System) Higher Degree Research (HDR) candidature management and workflow administration system. Catherine Zell IBM Storage (Storage Area Network Management IBM ESS Storage) Management of storage subsystems. Mark Griffith ID Health Data Portal Intellectual disability regional health profile system. Julian Trollor InfoEd Research Grants Management System Research Grants Management System. Debbie Docherty Insight CRM Enterprise student customer relationship management system. Jason Dolan Inspera (Digital Assessment Platform) Online assessments and exam platform. Dinesh Paikeday Jaggaer (Chemical Inventory Management) Chemical inventory management system. Karl Baumgartner Katana Computation cluster supporting scientific computing needs of staff and postgraduates. Grainne Moran MidPoint Identity and access management system. Derek Winter Mobius Faculties of Science and Engineering web-based testing system. Jonathan Kress Moodle Learning management system. Dinesh Paikeday MyAccess Virtual application access to specialised applications for academics and students. Dinesh Paikeday MyUNSW Single online access point for UNSW services and information for current staff and students. Jason Dolan NS Financials (New South Financials) Financial administration. Daniel Chew OpenSpecimen (UNSW Biospecimen Services) Biospecimen management system. Anusha Hettiaratchi Physitrack Online exercise program. Belinda Parmenter PIMS (People Information Management System) Human resource and payroll management system. Pete Murray Raisers Edge Fundraising system targeting Alumni. Lindsay Robinson Ramaciotti Computer Cluster & CLIVE Genome sequencing technology system. Helena Mangs RAMS (Records and Archives Management System) Electronic documents and records management system. James Fitzgibbon REDCap (Research Electronic Data Capture) Electronic data capture platform. Grainne Moran ResGate (Research Gateway) Researcher profiles platform. Thomas Chow ResToolkit Research data management and storage system. Grainne Moran ROS (Research Output System) Capture and report on research publications and outputs. Fiona Bradley S4S Audit4 Clinical appointments and billing system. Belinda Parmenter SAM (Software Asset Management) Software asset management system. George Sideris SIMS (Student Information Management System) Student information. Jason Dolan StarRez (Accommodation Portal) Management of UNSW-owned accommodation for students. Isabelle Creagh Thycotic PAM Privileged access management security system. Derek Winter Tivoli Backup Enterprise backup system. Mark Griffith UniHire A talent acquisition and recruitment system for staff and onboarding. Shaun Williams UNSW Press - BC365 Business Central for UNSW Press. David Bridge VARTA Data portal National Perinatal Epidemiology and Statistics Unit Data Portal. Jade Newman Whispir SMS notification service for campus major incidents. Tara Murphy Xetta (OneStop) Conferencing and events management system. Daniel Chew Ìý
-
- To complete your review of accesses or view your past UAR cycles, open the MyUAR toolÌý
by clicking on the image or enter:Ìý/Ìýinto your browser window.Ìý - Remember when making a review decision to submit your review before closing the browser window.Ìý
1.Ìý Guides and FAQs
- Ìý(guide).
- .
2.Ìý ÌýIT UAR team
- For urgent questions, contact the UNSW IT UAR team via emailÌýcybersecurity-uar@unsw.edu.au.
- To complete your review of accesses or view your past UAR cycles, open the MyUAR toolÌý
-
The following are involved in a UAR cycle:
Involved Responsible for Organisational Unit Heads Ensuring a formal process is in place to manage access rights associated with IT services and assets that are under the units' control. Business Owners Business OwnersÌýare responsible and accountable for:
- Ensuring their applications are compliant, with theÌý, by completing the UAR. Business Owners may delegate this activity to the IT Service Owner, however, the Business Owner retains accountability.
- Scheduling and conducting access control verifications on the applications they are responsible for, as well as being accountable for data collection.
Extract from the Cyber Security Standard - Identity and Access Management.UNSW ManagersÌý
(anyone with staff reporting to them, e.g., Supervisors)UNSW Managers,Ìýanyone with staff reporting to them, e.g., Supervisors, areÌýresponsible for:
- Ensuring their staff access is validated by completing the UAR. Managers may delegate the review activity; however, it is not permitted to delegate a user's access review to the user themselves. In the case of missing manager or supervisor information, the access must be reviewed by the Business Owner.
- Providing, reviewing, and/or removing accounts and/or access for their direct reports.
- Keeping staff up to date on any changes to account access levels.
- Acting as an escalation point for action where they are the Manager Once Removed (MoR).
IT Service Owners
(IT System Owner)IT Service Owners are responsible for:
- Assisting Business Owners by providing user access lists for the applications they are responsible for.
'Information Service OwnerÌýmeans the person responsible for defining, operating, measuring, and improving a UNSW Information Service and associated cyber security controls. Also known as System OwnerÌýor IT Service Owner.'
Extract from the Cyber Security Standard - Identity and Access Management.UNSW IT Cyber SecurityÌýUAR team Oversee the facilitation of a UAR cycle to ensure compliance with Cyber Security Policies and Standards.
Important:
- When conducting the review, reviewers (Business Owners, UNSW Managers/Supervisors, or their delegates)Ìýare advised to consider that staff may have more than one role across the University, and as a result, it is vital they keep staff informed of any changes as a result of their review.
- Reporting lineÌýdetails for staff have been captured from University HR systems at a point in time. Where Managers identify incorrect reporting relationships as part of this review, they are requested to update details viaÌýÌýor contact theÌýÌýfor assistance.
- There is no immediate action required by staff using applications under review. Any questions about access should be directed to their manager/supervisor.
- Communications will be sent from the Cyber Security UAR mailbox directly to involved Business Owners and reviewers (UNSW Managers/Supervisors) by the Cyber Security UAR Team.
- For full details refer to theÌý.
-
User account/ access type Action Duration Escalation
(and duration)Reviewer:ÌýBusiness Owner Privileged accounts - Re-validation of access, or
- Deletion or de-activation of account
Note: Delegate can be an IT Service Owner. Privileged accounts certified by the delegate, must then be re-certified by the Business Owner.
15 working days Manager once removed (MoR)
(10 working days)
Elevated accounts
(IT related)- Re-validation of access, or
- Deletion or de-activation of account.
Note: Delegate can be an IT Service Owner. Elevated access certified by the delegate must then be re-certified by the Business Owner.
Elevated accounts
(Business function-related)- Re-validation of access, or
- Deletion or de-activation of account
Note: Delegate can complete the review.
Reviewer:ÌýUNSW ManagerÌý(of staff) Standard user account - Re-validation of access, or
- Deletion or de-activation of account
Note: Delegate can complete the review.
15 working days Manager once removed (MOR)
(10 working days)
Ìý
Important
- Where an assigned UAR has not been completed in 15 working days by the reviewer (Business Owner or UNSW Manager/Supervisor, or their delegate), theÌýManager once removed (MoR),Ìýof the user or account concerned, will be required to complete the UAR in 10 working days.
- Reporting lineÌýdetails for staff (accounts) are sourced, at a point in time, from information in HR systems. To ensure this information is accurate, Managers/Supervisors should review their staff reporting details viaÌýÌýor contact theÌýÌýfor assistance.
- For full details refer to theÌý
Past UARs
Completed UARs are summarised below. Official UAR Reports are provided to Business Owners and are confidential. The reports are accessible to internal and external auditors as well as for management reporting. Requests for official UAR Reports are to be made directly to the respective Business Owner.
-
From April to September 2023, an annual User Access Review cycle was completed for 61 University applications. Thirty-four Business Owners and 2,335 Managers/Supervisors and/or delegates (of staff) reviewed 63,709 access permissions pertaining to a total of 18,697 accounts. As a result, 90 percent of the access was certified and retained with 8 percent revoked. Refer to theÌýUAR 2023 summaryÌýfor details per application.
Ìý -
From March to October 2022, an inaugural User Access Review cycle was completed. The annual user access review targeted 21 University applications. Thirteen Business Owners and 1,550 Managers/Supervisors and/or delegates (of staff) reviewed 39,973 access permissions pertaining to a total of 13,427 accounts. As a result, 86 percent of the access was certified and retained with 11 percent revoked. Refer to theÌýUAR 2022 Summary (PDF, 208KB)Ìýto learn more about the applications and survey feedback.
Ìý
Reporting cyber incidents
It is important to report any cyber security incidents as quickly as possible so that UNSW IT’s Cyber Security team can address any issues and mitigate risk exposure.
What should I report?
- Suspecting your computer or account has been compromised.
- Having evidence on how technology or University data may be vulnerable.
- Noticing a colleague inappropriately sharing Highly Sensitive or Sensitive data.
- Losing a University asset containing sensitive information.
Report a cyber security incident by calling the UNSW IT Service Centre on 02 9385 1333 or using the link below.
Cyber security is everyone’s responsibility and by learning a few rules, simple steps, and following guidelines, we can protect ourselves and our University from cyber security threats and keep data safe. Go to Cyber Security Training and AwarenessÌýfor more information.
Ìý