Information Security Standards

Administrator/Special Access

GENERAL

Information Technology support staff, system administrators and others may have special access account privilege requirements compared to the access privileges of typical users. Administrator accounts and other special access accounts have extended and overarching privileges in comparison with typical user accounts, thus the granting, controlling and monitoring of these accounts is extremely important to an overall security program.

APPLICABILITY

This procedure applies to all University information resources. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with Administrator and Special Access Accounts. The intended audience for this procedure includes, but is not limited to, all information resources owners, management personnel, system administrators, and end users.

PROCEDURES

1. Each individual that uses an administrator or special access account shall refrain from abuse of privilege and shall only conduct investigations as directed by appropriate University management personnel.

2. In those cases where law enforcement agencies request access in conjunction with an investigation, the request shall be in writing (e.g., subpoena, court order). All such requests shall be reported to the appropriate department head, director, or their designee before any action is taken. Investigations on behalf of law enforcement should be coordinated with an appropriate university legal representative.

3. Each individual that uses an administrator or special access account shall use the account or access privilege most appropriate for the requirements of the work being performed and log off of the administrator or special access account once the privilege is not required.

4. The password for a shared administrator or special access account shall change under any of the following conditions:

a. an individual knowing the password leaves the University or department;

b. job duties change such that the individual no longer performs functions requiring administrator/special access; or,

c. a contractor or vendor with such access leaves or completes their work.

5. In the case where a system has only one administrator, there shall be a password stored in a secure space (safe or vault) in an envelope such that an appropriate individual other than the administrator can gain access to the administrator account in an emergency situation.

6. When special access accounts are developed for internal or external audits, software development, software installation, or other defined needs, they must be:

a. authorized by a department head;

b. created with a specific expiration date; and,

c. removed when the task or project is complete.

HISTORY

Last Updated March 31, 2014