eduPass – Identity and Access Management in Schools

Policy

The purpose of this policy is to specify how access to information and communications technology systems is controlled and managed in schools through effective identity management.

Summary

• In order to secure access to department and school information and communications technology systems and ensure the safety and privacy of staff and students, it is necessary to implement and manage school identity and access control capability.
• eduPass is a service for managing staff and student identity and password access to key department systems such as CASES21, eduPay, Career ePortfolio, Adobe Creative Cloud, Webex, and Department-managed Office 365 and Google G-suite.
• The department uses Secure Remote Access Service to securely access department information and communications technology systems when working remotely.
• Further information and user guides for staff are available on the department's website – eduPass for department staff.
• Further information and user guides for students are available on the department's website – eduPass for students.

Details

eduPass

The department has implemented eduPass to manage access to department information and communications technology (ICT) systems used by schools.

It is strongly recommended that schools use eduPass for managing access to School ICT systems, as eduPass is centrally supported by the Information Management and Technology Division (IMTD) and is fully compliant with the department’s ICT Information Security Policy (PDF) (staff login required) and related technical standards and policies.

Future implementations of centrally provided applications, software and ICT services, both curriculum and administration based, will use eduPass for identity and access management.

Where a school has elected not to use eduPass for controlling access to school ICT systems, the solution the school uses must conform to the following requirements:

• it must be fully compliant with the department’s ICT Information Security Policy (PDF) (staff login required)
• it must be fully compliant with the department’s ICT Information Security Access Management Standard (DOCX) (staff login required)
• delegations of authority for managing access controls must be equivalent to that implemented with eduPass, as documented in the section ‘Delegations of authority’ below
• there are procedures implemented to ensure that the access control solution is kept both current and patched in a timely manner, in order to minimise known vulnerabilities
• where the access control solution has fallen out of vendor support, it must be upgraded or replaced.

To obtain advice and support for migrating an existing solution to eduPass, schools should log a request through the department’s Services Portal (staff login required).

The department uses Secure Remote Access Service (SRAS) to securely access department ICT systems when working remotely. It is fully integrated with eduPass and uses multi-factor authentication to ensure security and safety of access.

School staff working remotely must use the department’s SRAS to access department ICT systems. Schools must not implement or use other remote access systems as these may compromise department ICT systems, and/or compromise personal or sensitive information.

User identity, passwords and behaviours

Users of department and school ICT systems must comply with the requirements of the Information Security – Infosafe Policy, the Acceptable Use Policy for ICT Resources and the ICT Information Security Access Management Standard (DOCX) (staff login required). This includes the following behaviours in relation to ICT system identity, passwords and access:

• Users must never share ICT accounts, passwords or other user authentication credentials.
• Users must not reuse department and/or school identity accounts or passwords on any external system.
• Users must immediately change their password if they believe it has been compromised and report the loss of any multi-factor device.
• Users must not write down or record their password under any circumstances.
• Users must take care to ensure they are not overlooked when entering their passwords, either by other individuals or surveillance devices.
• Users must lock their computers or other computing devices if they leave them unattended.

Delegations of authority

Principals are responsible for using eduPass to manage staff and student accounts. They may delegate the management of staff and student accounts to another member of staff.

Principals or their delegate use eduPass to manage staff accounts including:

• resetting passwords
• unlocking accounts
• adding and removing staff from the school email distribution list.

Principals or their delegate use eduPass to manage student accounts including:

• creating student accounts
• resetting student passwords
• enabling and disabling accounts
• unlocking student accounts
• managing student usernames.

Staff use eduPass to:

• manage password
• set-up and manage remote access.

Definitions

School ICT systems
Schools-based ICT applications and systems that are provided and supported by an individual school, as opposed to department-provided and supported systems. School ICT systems may be used by staff and/or students.

Related policies

• Acceptable Use Policy for ICT Resources
• eduMail (employee email)
• eduStar – ICT Services, Software and Advice for Schools
• ICT Support for Schools
• Information Security – InfoSafe
• School Administration Systems

Guidance

There is no further guidance for this topic. For more information, refer to Resources tab.

Resources

Useful links

• eduPass for department staff
• eduPass for students
• eduPass for community members
• eduPass for shared services
• eduPass support
• eduPass terms of service