Privileged Access Control Standard

I. General Statement

The intent of this standard is to instruct authorized users on protection and preservation of the confidentiality, integrity, and availability of systems and information accessible through accounts with privileged access.

II. Definition

Privileged access is defined as a level of access above that of a normal user. This definition is intentionally vague to allow the flexibility to accommodate varying systems and authentication mechanisms. In a traditional Microsoft Windows environment, members of the Power Users, Local Administrators, Domain Administrators and Enterprise Administrators groups would all be considered to have privileged access. In a traditional UNIX or Linux environment, users with root level access or the ability to sudo would be considered to have privileged access. In an application environment, users with system administrator roles and responsibilities would be considered to have privileged access.

III. Standards

  1. Use of Privileged Access: Privileged Access to IT resources and systems should only be used for official university business requiring the use of privileged access and should be consistent with a user’s role or job responsibilities.
    1. University business is not:
      1. accessing restricted information that is outside the scope of specific job responsibilities.
      2. exposing or otherwise disclosing restricted information to unauthorized persons.
      3. using access to satisfy personal curiosity about an individual, system or other type of entity.
      4. without prior authorization, documented by management:
        1. circumventing user access controls or any other formal university security controls.
        2. circumventing bandwidth limits.
        3. circumventing formal account activation/deactivation procedures.
        4. circumventing formal account access change request procedures.
    2. Accomplishing general day-to-day activities, such as e-mail and internet browsing/research, never require privileged access.
    3. Install software from authorized and authoritative sites only. Abide by any license agreements for any software installed using the privileged access and be able to provide a copy of the license if requested.
  2. Authorization of Privileged AccessPrivileged access will be granted on a system-by-system basis requiring approval from the System Owner, the Information Security Officer (ISO), and the user’s supervisor, or designee (to include Third Party Contract Language). Privileged access is requested via the Privileged Access Request form.

    Exemptions:

    1. All users of the Faculty/Staff Workstation System have System Owner approval for privileged access; therefore, privileged access requires supervisor and ISO approval. 
    2. All users whose job requires specific Active Directory administrative group membership have System Owner approval for privileged access; therefore, privileged access only requires supervisor and ISO approval. 
  3. Authentication Requirements: Supplementary and/or stronger authentication is required to utilize privileged access. As such, privileged access requires at least one of the following:
    1. A unique-to-the-privileged-access password that meets the Information Technology Security Program - Password Management Standard as well as an abbreviated expiration, at a minimum of every 90 days.
    2. Multi-factor Authentication via Longwood University approved application. 
  4. Termination of Privileged Access: When a user’s role or job responsibilities change, privileged access should be promptly updated or removed.
  5. Enforcement: Violators of this standard are subject to disciplinary action, in addition to possible cancellation of privileged access.