Fayetteville Policies and Procedures  946.0 

Privileged Access to Sensitive University Data and Data Systems; Device Administrator Restrictions

  1. Overview
    Privileged account users have job responsibilities that require a higher level of access to sensitive university data resources. This higher-level access poses a risk to the university if privileged accounts are misused or misappropriated.  Users who log into university systems that house or manage university data or functions should only use such access when necessary to complete a university business-related function.  With respect to all users, device administrator privileges should be limited to those with an authorized official purpose. 

  2. Purpose
    The purpose of this policy is to codify the role of privileged access users within the university IT system. Due to the operational knowledge and elevated access to university data resources, individuals with privileged or administrative access are in a unique position of trust and responsibility. Privileged access roles enable an individual to take actions which may affect computing systems, network communication, user accounts, files, data, the processes of other users, or allow access to sensitive information. The policy also outlines campus policy regarding limiting device administrator privileges in order to preserve the safety and integrity of University networks, systems, and data. 

  3. Scope
    This policy applies to users granted privileged access to university systems that house or manage university data or functions, such as system administrators, network administrators, staff performing system/computer account administration, and other users whose job duties require special privileges over a computing system or network. A privileged access user could be a university employee, a contractor, or a vendor engaged by the university.  Privileged access means a heightened level of control over a system that is provided to a limited or restricted set of system users. With respect to device administrator restrictions, this policy is applicable to all uses. 

  4. Definitions
    1. Least Privilege: The principle that only the minimum necessary privileges should be assigned to a user that is granted access to a resource, and that this access should be in effect for the shortest duration necessary. Granting permissions to a user beyond that which is necessary for an action can allow that user to obtain or change information in unwanted ways. Careful delegation of access rights can prevent attackers from damaging a system or accessing sensitive information beyond a functional need to know.
    2. Privileged Account:  A local administrator, domain administrator, data access administrator, or application administrator account present or used on a university system. 

  5. Policy
    1. Least Privilege
      The principle of Least Privilege must be followed for all privileged accounts.
      1. Appropriate university personnel must approve all privileged accounts and review all privileged accounts annually.
      2. Privileged account use must be reserved for tasks that require the use of privileged account.
      3. Users are not to browse the internet from within a privileged account.

    2. Reduction of Privileges
      When the option is available, privileged account users must reduce their privileges when they are no longer required to use the elevated privileges.

    3. System Access
      1. All users who access a Unix or Linux system as a root user or superuser must first log into the system with an ID that uniquely identifies them and for which only they know the password. After logging in, the user can enter the appropriate system command to elevate their account privileges. By first logging in with a unique ID, the user creates an audit trail for any changes committed by the privileged account.
      2. If a user has access to a root user or superuser password for a given system but does not have an individual user account on the system, an account must be created for them.
      3. When utilizing a privileged account to access university systems, users must connect via the university’s network. If privileged account access is required when off-campus, the user must connect to the university’s virtual private networks (VPN) and use university approved multi-factor authentication.
      4. Wherever and whenever possible, privileged account users must authenticate with university approved multi-factor authentication.

    4. Passwords
      Privileged account users must use individual accounts with unique usernames and passwords that comply with the university password policy. If there is a business need for shared credentials, an approved password storage system must be used. Access to the password storage system must be controlled by the university’s approved multi-factor authentication.

    5. Device Administrator Privileges
      Users should not have administrative privileges on their university device unless the configuration of the system is a direct job requirement.  In the case that a user needs full time administrator rights, they must request and receive an approved exemption.

    6. Privacy
      1. Individuals with privileged accounts must respect the rights of the system users, respect the integrity of the systems and related physical resources, and comply with all relevant laws, policies, and regulations.
      2. In all cases, access to other individuals’ electronic information shall be limited to the least review of contents and the least action necessary to resolve a situation.
      3. Individuals have an obligation to keep themselves informed about any procedures, business practice, and operational guidelines for the activities of their local department.
      4. Privileged access users shall take necessary precautions to protect the confidentiality and integrity of information encountered in the performance of their duties.
      5. If, during the performance of their duties, users observe unusual activity or evidence indicating misuse, they must immediately notify the Office of the Chief Information Security Officer (CISO).

    7. Training
      1. Privileged users should understand their roles and responsibilities. Certain staff may be required to complete additional training depending on their specific job requirements upon hire and at least annually.
      2. Departments are responsible for offering specific role-based training to provide access to accounts for authorized users with privileged access.
      3. Privileged access users should be trained to minimize administrative privileges and only use administrative accounts when they are required.
      4. Role-specific privileged account training will include changing all default passwords before deploying any new applications, operations systems, routers, firewalls, wireless access points, and other systems.
      5. Privileged user training should be provided to authorized individuals prior to them receiving their privileged access. Managers of privileged users should provide this role-specific training.
        1. Such training should be documented and tracked. Privileged user training should be reviewed annually, as well as upon necessary system changes, and updated accordingly.
  6. Reporting and Addressing Suspected Violations
    Anyone who has reason to believe that another person has violated this policy shall report the matter promptly to the Office of the CISO (Chief Information Security Officer) and/or their supervisor or department head. Failure to report a suspected violation is a violation of this policy. After a suspected violation of this policy has been reported or discovered, the issue will be handled as soon as possible to mitigate any harm to the university and its affiliates.

  7. Enforcement
    Violation of this policy may result in loss of access and disciplinary action up to and including termination. For additional information, see the Code of Computing Practices. Code of Computing Practices | VCFA | University of Arkansas (uark.edu)

  8. Exemptions
    Exemptions from this policy must be approved. Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Office of the CISO. Please see the Exemption policy.

  9. References
    1. NIST (National Institute of Standards and Technology) 800-53r5:  Security and Privacy Controls for Information Systems and Organizations
    2. Cybersecurity & Infrastructure Security Agency: Least Privilege

August 8, 2022