Information Technology Standard 04.3.0

Desktop Administrative Rights Access Standard


Date of Current Revision or Creation: December 1, 2022


The purpose of an Information Technology Standard is to specify requirements for compliance with 圖朸厙 Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to define the terms and conditions upon which administrative rights access to the University's owned workstations or other University-owned end-user devices are granted.

Definitions

Abuse of Privilege - When a user willfully performs an action prohibited by organizational policy or law, even if technical controls are insufficient to prevent the user from performing the action.

General User Access - Provides standard access and prevents the user from making accidental or intentional system-wide changes and can run most applications.

Administrative Rights Access - This access is also referred to as privileged, administrator, admin, or root access, which allows an individual unrestricted access to change the configuration of operating system level settings on a specific University-owned desktop, laptop, end-user device, or server on a specific computer.

Standards Statement

By default, all University employees with non-IT related job descriptions are assigned general user access privileges on their individual workstations.

In some cases, the University may grant administrative rights access to an employee to a University-owned desktop, laptop, or other end-user device. Administrative rights access allow users the ability to change standard desktop configuration settings, install unlicensed software and disable other security measures, potentially creating security weaknesses in the desktop environment. This access is a privilege only provided to individuals who require this level of access and control in order to do their jobs effectively.

Authorization Process

All centrally managed University systems and applications that are capable of authenticating to the domain must be configured to authenticate to the domain. Administrative accounts must be provisioned in the domain with approvals described in ITS Standard 04.2.0 Account Management Standard.

Requests for administrative rights access are directed to Information Technology Services (ITS) using the account request process. Administrative rights access is only granted to individuals and only to a specific system or device. Justification is required for approval.

Users are responsible for understanding the user responsibilities for their privileged access.

Administrative Rights Access - User Responsibilities

Users with privileged access must take necessary precautions to protect the security of the information encountered in the performance of their duties.

Users may not use their privileged access for unauthorized viewing, modification, copying, or destruction of system or user data.

Users with privileged access are responsible for complying with all applicable laws, regulations, policies, and procedures.

Users with privileged access must always be aware that these privileges place them in a position of considerable trust. Users must not breach that trust by misusing privileges.

Users with privileged access must login with user-level privileges at the console of the system and use elevated privileges only for necessary administrative tasks.

Users with privileged access must setup and configure University owned computer workstations in accordance with security policies and procedures including the proper installation and functioning of certified virus protection software.

Administrative Rights Access Account Audit

The Account Management Team reviews account usage and assesses the continued need for the account.

Violations

Each individual that uses administrative rights access accounts must not abuse the privileged access. Any such abuse must be immediately reported to the IT Security Office. Violators are subject to disciplinary action.

Procedures, Guidelines & Other Related Information

History

Date Responsible Party Action
July 2015 IT Policy Office Created
December 2016 IT Policy Office Reviewed
December 2019 IT Policy Office Reviewed
December 2022 IT Policy Office Reviewed