黑料网大事记
MyIT

User Access Review

Welcome to the cyber security User Access Review (UAR) webpage where you can access information and services to help you understand, and if requested, participate in a UAR.
Personalise
MyIT Cyber security

Access Control - UAR

The University's听Cyber Security Policies and Standards听require all access to University IT Services to be authorised, restricted based on need, and to be annually verified. Without periodic reviews of user access to applications, the University is at risk of unauthorised access, fraudulent activity, or confidentiality and privacy breaches.

罢丑别听听outlines the process, roles, and responsibilities for reviewing access and is a mandatory control required by the听. A UAR revalidates user accounts and access rights associated with IT services and assets.

A UAR cycle involves engagement and data collection, analysis, review (validation), remediation, and reporting.

Current UAR underway

View the applications in scope for the UAR cycle 2025.

  • Applications targeted for a听2025 UAR cycle听will be listed here.听听

    • Applications in scope for the UAR cycle:听

    Business Owner听is a person with primary responsibility for the business or technology functions provided by one or more 黑料网大事记听 Information Resources, including any associated cyber security risk. Note: The Business Owner of a 黑料网大事记 Information Resource may be in the 黑料网大事记 IT unit or any other Organisational unit.听听Extract from the Cyber Security Standard - Identity and Access Management.
    • To complete your review of accesses or view your past UAR cycles, open the MyUAR tool听
      by clicking on the image or enter:听/听into your browser window.听
    • Remember when making a review decision to submit your review before closing the browser window.听
    1.听 Guides and FAQs
    • 听(驳耻颈诲别).
    • .
    2.听 听IT UAR team
    3.听 Feedback

    We welcome feedback via email to听
    cybersecurity-uar@unsw.edu.au.听

  • The following are involved in a UAR cycle:

    Involved Responsible for
    Organisational Unit Heads Ensuring a formal process is in place to manage access rights associated with IT services and assets that are under the units' control.
    Business Owners

    Business Owners听are responsible and accountable for:

    • Ensuring their applications are compliant, with the听, by completing the UAR. Business Owners may delegate this activity to the IT Service Owner, however, the Business Owner retains accountability.
    • Scheduling and conducting access control verifications on the applications they are responsible for, as well as being accountable for data collection.
    'Business Owner means a person with primary responsibility for the business or technology functions provided by one or more 黑料网大事记 Information Resources, including any associated cyber security risk. Note: The Business Owner of a 黑料网大事记 Information Resource may be in the 黑料网大事记 IT unit or any other organisational unit.'听听
    Extract from the Cyber Security Standard - Identity and Access Management.
    黑料网大事记 Managers听
    (anyone with staff reporting to them, e.g., Supervisors)

    黑料网大事记 Managers,听anyone with staff reporting to them, e.g., Supervisors, are听responsible for:

    • Ensuring their staff access is validated by completing the UAR. Managers may delegate the review activity; however, it is not permitted to delegate a user's access review to the user themselves. In the case of missing manager or supervisor information, the access must be reviewed by the Business Owner.
    • Providing, reviewing, and/or removing accounts and/or access for their direct reports.
    • Keeping staff up to date on any changes to account access levels.
    • Acting as an escalation point for action where they are the Manager Once Removed (MoR).
    IT Service Owners
    (IT System Owner)

    IT Service Owners are responsible for:

    • Assisting Business Owners by providing user access lists for the applications they are responsible for.

    'Information Service Owner听means the person responsible for defining, operating, measuring, and improving a 黑料网大事记 Information Service and associated cyber security controls. Also known as System Owner听or IT Service Owner.'
    Extract from the Cyber Security Standard - Identity and Access Management.
    黑料网大事记 IT Cyber Security听UAR team Oversee the facilitation of a UAR cycle to ensure compliance with Cyber Security Policies and Standards.

    Important:

    • When conducting the review, reviewers (Business Owners, 黑料网大事记 Managers/Supervisors, or their delegates)听are advised to consider that staff may have more than one role across the University, and as a result, it is vital they keep staff informed of any changes as a result of their review.
    • Reporting line听details for staff have been captured from University HR systems at a point in time. Where Managers identify incorrect reporting relationships as part of this review, they are requested to update details via听听or contact the听听for assistance.
    • There is no immediate action required by staff using applications under review. Any questions about access should be directed to their manager/supervisor.
    • Communications will be sent from the Cyber Security UAR mailbox directly to involved Business Owners and reviewers (黑料网大事记 Managers/Supervisors) by the Cyber Security UAR Team.
    • For full details refer to the听.
  • User account/ access type Action Duration Escalation
    (and duration)
    搁别惫颈别飞别谤:听Business Owner
    Privileged accounts
    • Re-validation of access, or
    • Deletion or de-activation of account

    Note: Delegate can be an IT Service Owner. Privileged accounts certified by the delegate, must then be re-certified by the Business Owner.

    		 15 working days

    Manager once removed (MoR)

    (10 working days)
    Elevated accounts
    (IT related)
    • Re-validation of access, or
    • Deletion or de-activation of account.

    Note: Delegate can be an IT Service Owner. Elevated access certified by the delegate must then be re-certified by the Business Owner.
    Elevated accounts
    (Business function-related)
    • Re-validation of access, or
    • Deletion or de-activation of account

    Note: Delegate can complete the review.
    搁别惫颈别飞别谤:听黑料网大事记 Manager听(of staff)
    Standard user account
    • Re-validation of access, or
    • Deletion or de-activation of account

    Note: Delegate can complete the review.

    		 15 working days

    Manager once removed (MOR)

    (10 working days)

    Important

    • Where an assigned UAR has not been completed in 15 working days by the reviewer (Business Owner or 黑料网大事记 Manager/Supervisor, or their delegate), the听Manager once removed (MoR),听of the user or account concerned, will be required to complete the UAR in 10 working days.
    • Reporting line听details for staff (accounts) are sourced, at a point in time, from information in HR systems. To ensure this information is accurate, Managers/Supervisors should review their staff reporting details via听听or contact the听听for assistance.
    • For full details refer to the听

Reporting cyber incidents

It is important to report any cyber security incidents as quickly as possible so that 黑料网大事记 IT鈥檚 Cyber Security team can address any issues and mitigate risk exposure.

What should I report?

  • Suspecting your computer or account has been compromised.
  • Having evidence on how technology or University data may be vulnerable.
  • Noticing a colleague inappropriately sharing Highly Sensitive or Sensitive data.
  • Losing a University asset containing sensitive information.

Report a cyber security incident by calling the 黑料网大事记 IT Service Centre on 02 9385 1333 or using the link below.

Cyber security is everyone鈥檚 responsibility and by learning a few rules, simple steps, and following guidelines, we can protect ourselves and our University from cyber security threats and keep data safe. Go to Cyber Security Training and Awareness听for more information.