Versions Compared

Old Version 34

changes.mady.by.user Yates, Bry-Ann

Saved on

compared with

New Version 35

changes.mady.by.user Manjak, Martin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Privileged access is granted only to authorized individuals. Privileged access shall be granted to individuals only after they have read and signed the Access and Compliance Agreement.
  2. Privileged access may be used only to perform assigned job duties.
  3. If methods other than using privileged access will accomplish an action, those other methods must be used unless the burden of time or other resources required clearly justifies using privileged access.
  4. Privileged access may be used to perform standard system-related duties only on machines and networks whose responsibility is part of assigned job duties. Examples of such activity include:
    • installing system software;
    • relocating individuals' files;
    • performing repairs required to return a system to normal function, such as fixing files or file processes, or killing runaway processes;
    • running security checking programs;
    • monitoring the system to ensure reliability and security.
  5. Privileged accounts should not be used for day to day tasks such as checking email, browsing the web or logging into your local workstation when possible.
  6. Privileged access may be used to grant, change, or deny access to resources or privilege to another individual only for authorized account management activities; or under exceptional circumstances. Such actions must follow any existing organizational guidelines and procedures. Examples include:
    • disabling an account apparently responsible for serious misuse such as: attempting to compromise root (UNIX) or the administrator account (Windows), using a host to send harassing or threatening email, using software to mount attacks on other hosts, or engaging in activities designed to disrupt the functioning of the host itself;
    • disconnecting a host or subnet from the network when a security compromise is suspected;
    • accessing files for law enforcement authorities on the basis of a valid subpoena.
  7. Accounts with elevated privileges will have the following prefixes depending on the type of account:
    • a_ Provide privileged access to an individual. 
    • s_ Provide access to an application or service. 
    • va_ Provide individual vendor privileged access.
  8. Multi-Factor Access will be used where possible, where not possible privileged accounts will use a unique password per system.  ----What if they are connected to LDAP.. do we need to give them account for each system? Or is one account in that case acceptable?must be used when it is available for authentication to the subject resource.
  9. Privileged accounts can only be used on university owned and managed systems. 

...