17.3.1 Authorization and Access

All access to, and usage of IT resources must be appropriately requested, approved, registered and audited. A user is defined as any individual or entity granted access to OIST information assets to a level above public classification [Link: 17.8.9], or to IT resources above that available to the general public.

Users are responsible for protecting their account information by ensuring that their login, password and other access credentials remain secure at all times. The sharing of account information or passwords is not permitted, and may only be known to, and used by the individual assigned them.
In using these resources, users agree to abide by all relevant University policies, rules, procedures and applicable law. Users must acknowledge this understanding by reading and signing the OIST Graduate University Acceptable Use Policy, via physical signature or digital equivalent [Link: 17.6.1].

17.3.1.1 Account Creation
User accounts will be created via the following process:

  • Onboarding into the University via the process relevant to the user’s classification, resulting in registration into the OIST Identity Management System [Link: 17.8.17]
  • Acknowledgement by signature (or digital equivalent) of the OIST Graduate University Acceptable Use Policy [Link: 17.6.1]
  • Supervisors’ advance authorization to access any IT resources beyond those allocated by default
  • Authorization by the relevant Information Asset Manager  or Information Asset Administrator to access any Information Assets managed locall

17.3.1.2 Account Extension
Requests for extension of access shall be made with valid justification, via the process relevant to the user’s classification. Extension processes will include at least a minimum of supervisors’ approval, and any further approvals as required.

17.3.1.3 Account Expiry, Deactivation and Deletion
Accounts will be automatically deactivated upon expiry of a user’s term at the University unless extended as described above.
Systems administrators must deactivate invalid accounts when found, or as instructed by the CIO, CISO or legal counsel, and report the event to CIO and CISO.

17.3.1.4 Access Rights
Should users change roles or responsibilities, supervisors are responsible for ensuring updated access rights are communicated to IT Division, and any relevant Information Asset Managers [Link: 17.4.9]. Information Asset Managers are responsible for ensuring that access rights are updated appropriately.

17.3.1.5 Privileged Users/Systems Administrators
Any user granted escalated privileges [Link: 17.8.14] must use them only when required to do so in order to conduct OIST business. System access events of users possessing escalated privileges are to be recorded and monitored at all times.

17.3.1.6 Shared Accounts
Shared accounts are not in principal permitted, exceptions may be made at the discretion of the system administrators, with concurrence of the CIO or CISO.

17.3.1.7 Unauthorized Access
All users, including system administrators, must report unauthorized access to the CISO immediately if suspected.

Table of Contents