Handbook of Operating Procedures > Series 700 Information Resources > 7.1.5 Administrative Special Access

7.1.5 Administrative Special Access

A. Purpose

To establish the rules for the creation, use, monitoring, control and removal of accounts with special access privilege.

B. Persons Affected

This policy applies to all individuals who have, or may require, special access privilege to any University of Texas at Tyler (the "University") Information Resources.

C. Definitions

Information Resources (IR): any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. 

Information Resources Manager (IRM): Responsible to the State of Texas for management of the University's IR. The designation of an IRM is intended to establish clear accountability for setting policy for IR management activities, provide for greater coordination of the University's information activities, and ensure greater visibility of such activities within and between state agencies. The IRM has been given the authority and the accountability by the State of Texas to implement Security Policies, Procedures, Practice Standards, and Guidelines to protect the IR of the University. If an agency does not designate an IRM, the title defaults to the agency's Executive Director, and the Executive Director is responsible for adhering to the duties and requirements of an IRM. 

Information Security Officer (ISO): Responsible to the executive management for administering the information security function within the University. The ISO is the University's internal and external point of contact for all information security matters. 

Information Technology (IT): The University department responsible for computers, networking and data management. 

Security Administrator: The person charged with monitoring and implementing security controls and procedures for a system. The University will have one ISO and may designate a number of security administrators. 

System Administrator: Person responsible for the effective operation and maintenance of IR, including implementation of standard procedures and controls, to enforce the University's security policy. 

Abuse of Privilege: When a user willfully performs an action prohibited by University policy or law, even if technical controls are insufficient to prevent the user from performing the action. 

Vendor: Someone who exchanges goods or services for money or other consideration.

D. Policy

On Windows and Macintosh computers, a user requires special administrative privileges to:

• install software, 
• modify system settings, and 
• manage users. 

These tasks are restricted by default since they can have a profound impact on the stability and usability of a computer. Due to the availability of trained and experienced support staff and the inherent dangers of inappropriate, uninformed, or unintentional use of log-ins with administrative rights, the University restricts the use of administrative rights.

Long term administrative rights are typically reserved for IT personnel who are responsible for providing administrative services such as system maintenance and user support. For most cases, another acceptable solution can be reached without the need for long term administrative rights. In unique instances, administrative rights may be issued to faculty and/or staff on either a temporary or ongoing basis to perform tasks within the scope of their employment. Users who have been granted administrative rights on their workstations must not only go through an approval process, but also demonstrate a knowledge and understanding of workstation configuration management, responsibilities associated with the elevated privileges, and security healthcare/higher education policies and laws. Users who have been granted administrative rights on University workstations are referred to as "authorized users".

General

• All users must sign the University Acceptable Use Policy and Confidentiality Statement or Business Associate Agreement as appropriate before access is given to an account.
• All users of Administrative/Special access accounts must complete the University Workstation Local Administrative Rights Request and include required authorization. The request form must be submitted for review and approval annually by January 31. Administrative/Special access rights will not be automatically renewed.
• Each individual who uses Administrative/Special access accounts must refrain from abuse of privilege and/or making changes to the configuration of the computers, including formatting, uninstalling University supported software, etc.
• Each individual who uses Administrative/Special access accounts must use the account privilege most appropriate with work being performed (i.e., user account vs. administrator account) when multiple accounts have been created with differing privileges.
• The password for a shared Administrative/Special access account must change when an individual with the password leaves the department or the University, or upon a change in the vendor personnel assigned to the University.
• In the case where a system has only one administrator, there must be a password escrow procedure in place so that someone other than the administrator can gain access to the administrator account in an emergency situation.
• When Special Access accounts are needed temporarily for Internal or External Audit, software development, software installation, or other defined need, the accounts:
• must be authorized,
• must be created with a specific expiration date, and
• must be removed when work is complete.

Authorized User Responsibilities

Authorized users are responsible for:

• changing their Active Directory passwords at least every 30 days;
• maintaining the integrity of their workstations;
• NOT creating local accounts or granting elevated access to other users on their computers;
• maintaining software licensing information for any business software personally installed on their workstations after following the standard software purchasing process;
• NOT installing software for personal use on the University workstations;
• routinely checking for and eliminating spy-ware, or any similar data gathering and reporting software, from their workstations (additional protection tools may be required for purchase by the department);
• NOT sharing their user-names and passwords with others for access to the University network;
• Immediately reporting any system failures and/or compromises in security measures to the IT Help Desk; and
• reading and adhering to University policies, specifically including the following :
• IHOP Information Resources Acceptable Use,
• IHOP Encryption Guidelines,
• IHOP Information Security Policy, and
• all University privacy policies.

Authorized users must not install or use software considered insecure or that do not incorporate an encryption scheme. These include but are not limited to email applications, FTP clients, and Telnet applications that do not employ secure connections.

Alternative to Authorized User Status

As an alternative to personally acquiring administrator rights on the workstation, a user can contact the IT Help Desk to schedule software installations. This is the standard approach.

IT Terms of Support

IT will continue to provide Microsoft system patches, application software patches, and antivirus updates through the system wide client management platform to all University workstations. University computer users must not block or in any manner disable and/or revise any services on the workstations that may prevent these and other routine maintenance procedures.

IT will not be able to restore a configuration customized by the user, including an authorized user. In the event of a computer failure, the IT Help Desk will restore the original base image on the computer.  The base image includes an operating system and any software maintained by IT. All documents that are synchronized to the network server will be restored if possible. All University issued desktop machines must be administered in accordance with standard configurations, and all computers must:

• be joined to the University Active Directory domain (any special exemptions must be approved by Information Security and IT);
• have remote management software installed to facilitate administration and upgrades;
• have active properly configured anti-virus software;
• and have service packs or patches as deemed necessary by IT.

Note: Network monitoring and intrusion detection is performed as deemed necessary and appropriate by IT.

Loss or Denial of Authorized User Status

If an authorized user abuses his/her administrative access, IT will revoke this access immediately and will restore the original base image on the computer. Abuse is defined as, but not limited to:

• downloading software that is malicious to the University network;
• downloading unlicensed/illegal software;
• downloading copyrighted material without permission;
• downloading viruses and/or Trojans to the University network that are specifically attributed to user software installations/downloads;
• public exposure to sensitive data and/or;
• not adhering to University policies and procedures.

Enforcement

Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of University Information Resources access privileges, civil, and criminal prosecution.

Reference(s):

Copyright Act of 1976

Foreign Corrupt Practices Act of 1977

Computer Fraud and Abuse Act of 1986

Computer Security Act of 1987

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The State of Texas Information Act

Texas Government Code, Section 441

Texas Administrative Code, Chapter 202

IRM Act, 2054.075(b)

The State of Texas Penal Code, Chapters 33 and 33A

DIR Practices for Protecting Information Resources Assets

DIR Standards Review and Recommendations Publications

UTHSCT Workstation Local Administrative Rights Request form

 

H. Review Responsibilities and Dates

The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.