Privileged Access Control Standard
I. General Statement
The intent of this standard is to instruct authorized users on protection and preservation of the confidentiality, integrity, and availability of systems and information accessible through accounts with privileged access.
Privileged Access is defined as a level of access above that of a normal user. This definition is intentionally vague to allow the flexibility to accommodate varying systems and authentication mechanisms. In a traditional Microsoft Windows environment, members of the Power Users, Local Administrators, Domain Administrators and Enterprise Administrators groups would all be considered to have privileged access. In a traditional UNIX or Linux environment, users with root level access or the ability to sudo would be considered to have privileged access. In an application environment, users with system administrator roles and responsibilities would be considered to have privileged access.
Use of Privileged Access: Privileged Access to IT resources and systems should only be used for official University business requiring the use of privileged access and should be consistent with a user’s role or job responsibilities.
- University business is not:
- Accessing restricted information that is outside the scope of specific job responsibilities.
- Exposing or otherwise disclosing restricted information to unauthorized persons.
- Using access to satisfy personal curiosity about an individual, system, or other type of entity.
- Without prior authorization, documented by management:
- Circumventing user access controls or any other formal University security controls.
- Circumventing bandwidth limits.
- Circumventing formal account activation/deactivation procedures.
- Circumventing formal account access change request procedures.
- Accomplishing general day-to-day activities, such as e-mail and internet browsing/research, never require privileged access.
- Install software from authorized and authoritative sites only. Abide by any license agreements for any software installed using the privileged access and be able to provide a copy of the license if requested.
- University business is not:
Authorization of Privileged Access: Privileged access will be granted on a system by system basis requiring approval from both the System Owner and the user’s supervisor, or designee (to include Third Party Contract Language).
- All users of the Faculty/Staff Workstation System have System Owner approval for privileged access; therefore, privileged access only requires supervisor approval.
- All users of the Mobile Device Support system have System Owner approval for privileged access and supervisor approval is assumed at the assignment of a Single User Laptop.
Authentication Requirements: Supplementary and/or stronger authentication is required to utilize privileged access. As such, privileged access requires at least one of the following:
- A unique-to-the-privileged-access password that meets the LancerNet Password Standards as well as an abbreviated expiration, at a minimum of, every 90 days.
- A unique-to-the-privileged-access authentication device.
- A unique-to-the-privileged-access biometric.
- Termination of Privileged Access: When a user’s role or job responsibilities change, privileged access should be promptly updated or removed.
- Enforcement: Violators of this standard are subject to disciplinary action, in addition to possible cancellation of privileged access.
Approved by the Chief Information Officer, October 15, 2013.