Versions Compared

Old Version 36

changes.mady.by.user Manjak, Martin

Saved on

compared with

New Version 37

changes.mady.by.user Manjak, Martin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Privileged access is granted only to authorized individuals. Privileged access shall be granted to individuals only after they have read and signed the Access and Compliance Agreement.
  2. Privileged access may be used only to perform assigned job duties.
  3. If methods other than using privileged access will accomplish an action, those other methods must be used unless the burden of time or other resources required clearly justifies using privileged access.
  4. Privileged access may be used to perform standard system-related duties only on machines and networks whose responsibility is part of the employee's assigned job duties. Examples of such activity include:
    • installing system software;
    • relocating individuals' files;
    • performing repairs required to return a system to normal function, such as fixing files or file processes, or killing runaway processes;
    • running security checking programs;
    • monitoring the system to ensure reliability and security.
  5. Privileged accounts must only be used for work directly related to the privileged access. Routine tasks (e.g., email, web browsing) not directly linked to the privileged access activity expose the resource to threats that would be greatly amplified by the level of privilege enjoyed by the operator. For this this reason, they are prohibited.
  6. Privileged access may be used to grant, change, or deny access to resources or privilege to another individual only for authorized account management activities; or under exceptional circumstances. Such actions must follow any existing organizational guidelines and procedures. Examples include:
    • disabling an account apparently responsible for serious misuse such as: attempting to compromise root (UNIX) or the administrator account (Windows), using a host to send harassing or threatening email, using software to mount attacks on other hosts, or engaging in activities designed to disrupt the functioning of the host itself;
    • disconnecting a host or subnet from the network when a security compromise is suspected;
    • accessing files for law enforcement authorities on the basis of a valid subpoena.
  7. Accounts with elevated privileges will have the following prefixes depending on the type of account:
    • a_ Provide privileged access to an individual. 
    • s_ Provide access to an application or service. 
    • va_ Provide individual vendor privileged access.
  8. Multi-Factor Access must be used when it is available for authentication to the subject resource.
  9. Privileged accounts should only be accessed from university-owned and managed systems.

...