Date: Thu, 28 Mar 2024 22:33:28 -0400 (EDT)
Message-ID: <830955247.13089.1711679608879@confluence05.rowan.edu>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_13088_1484281037.1711679608873"
------=_Part_13088_1484281037.1711679608873
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
ROWAN UNIVERSITY
=
Title: Privileged Account Management Policy
Subject: Information Security
Policy No:=
ISO:2016:02
Applies: University-=
Wide
Issuing Authority: Senior Vice Pres=
ident for Information Resources and Technology and Chief Information Office=
r
Responsible Officer: Information Security Di=
rector
Date Adopted: 04/01/2016
Last Revision: 10/27/2023
Last Review: 07/03/2018
I. PURPOSE
The purpose of this policy is to prev=
ent inappropriate granting and use of privileged access by IRT staff, Appli=
cation Super Users, Departmental System Administrators and any individual p=
rovided with privileged access to Rowan University information systems.
ii. ACCOUNTA=
BILITY
Under the direction of the President,=
the Chief Information Officer, IRT Director(s) and Departments, Schools an=
d Business Units, the Information Security Office (ISO) shall implement and=
ensure compliance with this policy.
III. APPLICABILITY=
This policy applies to all individual=
s, University wide, with privileged access to computing systems, network co=
mmunication, or the accounts, files, data, or processes of other users.
IV. DEFINITIONS
Refer to the Rowa=
n University Technology Terms and Definitions =
for terms and definitions that are used =
in this policy.
V. POLICY
- Privileged access enables an individual to take actions which may affec=
t computing systems, network communication, or the accounts, files, data, o=
r processes of other users. Privileged access is typically granted to syste=
m administrators, network administrators, staff performing computing accoun=
t administration, or other such employees whose job duties require special =
privileges over a computing system or network. Privileged access might prov=
ide such users with technical access capabilities that are beyond their fun=
ctional access authority such as upgrade their functional access authority.=
- Individuals with privileged access must not abuse their access capabili=
ty and strictly respect their functional access authority limits, respect t=
he rights of the system users, respect the integrity of the systems and rel=
ated physical resources, and comply with any relevant laws or regulations. =
Individuals also have an obligation to familiarize themselves regarding any=
procedures, business practices, and operational guidelines pertaining to t=
he activities of their local department. In particular, the privacy of info=
rmation holds important implications for computer system administration at =
Rowan. Individuals with privileged access must comply with applicable polic=
ies, laws, regulations, precedents, and procedures, while pursuing appropri=
ate actions to provide high-quality, timely, reliable, computing services.<=
/li>
- Requirements:
- Privileged access shall only be granted to authorized individuals.
- Individuals may request privilege=
d access from the Technology Owner. Each Technology Owner must establish, i=
n coordination with the ISO, a standard process for review, approval, and p=
rovisioning of administrative access to systems and applications. This proc=
ess must include proper segregation of duties and provide the ISO with the =
ability to monitor compliance with the established information security pol=
icies and processes.
- Users with privileged access will have two user IDs in situations where providing access to their standard u=
ser id will create unacceptable risk: one for normal day-to-day acti=
vities and one for performing administrative duties.
- Every privileged account must have its own unique password when provisi=
oned as a dedicated administrative account.
- Administrators may only use their administrator account to perform admi=
nistrative functions.
- Administrators may not use their privileged access for unauthorized vie=
wing, modification, copying, or destruction of system or user data.
- Users with privileged access have a responsibility to protect the confi=
dentiality of any information they encounter while performing their duties.=
- Users with privileged access are responsible for complying with all app=
licable laws, regulations, policies, and procedures.
- Users with privileged access must always be aware that these privileges=
place them in a position of considerable trust. Users must not breach that=
trust by misusing privileges or failing to maintain a high professional st=
andard.
- IRT will maintain a comprehensive li=
st of all privileged user accounts.
- The ISO will maintain the responsibilities of governance, oversight, an=
d monitoring of the Privileged Account Management process
- Non-Compliance and Sanctions
- Violation of this policy may subject the violator to disciplinary actio=
ns, up to or including termination of employment or dismissal from a school=
, and may subject the violator to penalties stipulated in applicable state =
and federal statutes.
By Direction of the CIO:
Mira L=
alovic-Hand,
SVP and Chief Information Officer
------=_Part_13088_1484281037.1711679608873--