...
- Privileged access is granted only to authorized individuals. Privileged access shall be granted to individuals only after they have read and signed the Access and Compliance Agreement.
- Privileged access may be used only to perform assigned job duties.
- If methods other than using privileged access will accomplish an action, those other methods must be used unless the burden of time or other resources required clearly justifies using privileged access.
- Privileged access may be used to perform standard system-related duties only on machines and networks whose responsibility is part of assigned job duties. Examples of such activity include:
- installing system software;
- relocating individuals' files;
- performing repairs required to return a system to normal function, such as fixing files or file processes, or killing runaway processes;
- running security checking programs;
- monitoring the system to ensure reliability and security.
- Privileged accounts should not be used for day to day tasks such as checking email, browsing the web or logging into your local workstation when possible.
- Privileged access may be used to grant, change, or deny access to resources or privilege to another individual only for authorized account management activities; or under exceptional circumstances. Such actions must follow any existing organizational guidelines and procedures. Examples include:
- disabling an account apparently responsible for serious misuse such as: attempting to compromise root (UNIX) or the administrator account (Windows), using a host to send harassing or threatening email, using software to mount attacks on other hosts, or engaging in activities designed to disrupt the functioning of the host itself;
- disconnecting a host or subnet from the network when a security compromise is suspected;
- accessing files for law enforcement authorities on the basis of a valid subpoena.
- Accounts with elevated privileges will have the following prefixes depending on the type of account:
- a_ Provide privileged access to an individual.
- s_ Provide access to an application or service.
- va_ Provide individual vendor privileged access.
- Multi-Factor Access will be used where possible, where not possible privileged accounts will use a unique password per system. ----What if they are connected to LDAP.. do we need to give them account for each system? Or is one account in that case acceptable?
- Privileged accounts can only be used on university owned and managed systems.
...