...
This policy applies to all individuals, University wide, with privileged access to computing systems, network communication, or the accounts, files, data, or processes of other users.
IV. DEFINITIONS
Refer to the Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.
V. POLICY
- Privileged access enables an individual to take actions which may affect computing systems, network communication, or the accounts, files, data, or processes of other users. Privileged access is typically granted to system administrators, network administrators, staff performing computing account administration, or other such employees whose job duties require special privileges over a computing system or network. Privileged access might provide such users with technical access capabilities that are beyond their functional access authority such as upgrade their functional access authority.
- Individuals with privileged access must not abuse their access capability and strictly respect their functional access authority limits, respect the rights of the system users, respect the integrity of the systems and related physical resources, and comply with any relevant laws or regulations. Individuals also have an obligation to familiarize themselves regarding any procedures, business practices, and operational guidelines pertaining to the activities of their local department. In particular, the privacy of information holds important implications for computer system administration at Rowan. Individuals with privileged access must comply with applicable policies, laws, regulations, precedents, and procedures, while pursuing appropriate actions to provide high-quality, timely, reliable, computing services.
- Requirements:
- Privileged access shall only be granted to authorized individuals.
- Individuals may request privileged access from the Technology Owner. Each Technology Owner must establish, in coordination with the ISO, a standard process for review, approval, and provisioning of administrative access to systems and applications. This process must include proper segregation of duties and provide the ISO with the ability to monitor compliance with the established information security policies and processes.
- Users with privileged access will have two user IDs in situations where providing access to their standard user id will create unacceptable risk: one for normal day-to-day activities and one for performing administrative duties.
- Every privileged account must have its own unique password when provisioned as a dedicated administrative account.
- Administrators may only use their administrator account to perform administrative functions.
- Administrators may not use their privileged access for unauthorized viewing, modification, copying, or destruction of system or user data.
- Users with privileged access have a responsibility to protect the confidentiality of any information they encounter while performing their duties.
- Users with privileged access are responsible for complying with all applicable laws, regulations, policies, and procedures.
- Users with privileged access must always be aware that these privileges place them in a position of considerable trust. Users must not breach that trust by misusing privileges or failing to maintain a high professional standard.
- IRT will maintain a master list from the collected departmental comprehensive list of all privileged user accounts.
- The ISO will maintain the responsibilities of governance, oversight, and monitoring of the Privileged Account Management process
- Non-Compliance and Sanctions
- Violation of this policy may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school, and may subject the violator to penalties stipulated in applicable state and federal statutes.
...