Privileged Access Control Policy
Version 1.1
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to establish protocols for managing Privileged Access to IT Resources, ensuring adherence to the Principle of Least Privilege, and promoting transparency, accountability, and security across the organization through thorough documentation, review, and auditing of access requests.
Scope
This IT security policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the "User(s)" or "you") who use, access, or otherwise employ, locally or remotely, the University's IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Regular accounts must never be used for Privileged Access.
- Privileged Access must utilize specific account types determined by the User's University responsibilities and need an appropriate account such as an A-, TA-, or TS- account.
- All Privileged Access accounts must have their passwords managed through a non-persistent password management protocol, CyberArk, or the Privileged Managed Control Access (PMCA) system.
- The type of account provisioned is based on the requestor's University role and responsibilities, ensuring alignment with their job requirements. Access is categorized as follows:
- Front-End Access is for operational interaction with user interfaces.
- Privileged Access is for backend or administrative operations, such as system configurations and database management.
- Privileged Access must adhere to the principles and mechanisms for Non-Persistent Access (e.g., PMCA, CyberArk).
- All requestors must submit detailed access requests for specific servers, any system, or application and justify the need for Privileged Access via the University's IT ticketing system.
- The Chief Information Officer must approve all Privileged Access requests for the Office of Information Technology personnel.
- All other Privileged Access requests must undergo a thorough Checks and Balances process, regardless of the system or application, to ensure Separation of Duties.
- At least two authorized approvers (e.g., managing supervisor, IT Resources owner) must review requests for Privileged Access. Authorized approvers must:
- Evaluate the request to ensure access is necessary and appropriate for the requestor's role.
- Ensure that access is granted at the minimum level necessary for the requestor to perform their job functions.
- Verify that Privileged Access is justified and document the decision-making process in the University's IT ticketing system for future audits.
- Regular audits of Privileged Access rights must be conducted to ensure compliance with this policy.
- All relevant parties must participate in annual audits or reviews, or as amended per industry best practices, to ensure alignment with the Principle of Least Privilege.
- Any discrepancies or noncompliance must be reported promptly to the managing supervisor and IT Resources owner, and unnecessary access must be revoked or adjusted to maintain security.
Definitions
A- Account is an administrative account assigned to employees whose responsibilities require Privileged Access.
Checks and Balances are mechanisms that prevent unilateral control over access by requiring multiple approvals and ongoing reviews, ensuring that access permissions are granted, managed, and monitored by different roles or teams to enhance security and accountability.
CyberArk is a privileged access management solution that securely stores, manages, and automatically rotates privileged credentials to mitigate risks related to hardcoded or shared credentials.
Front-end access is interaction with user interfaces or applications for operational tasks without direct access to system configurations or backend operations.
IT Resources include computing, networking, communications, applications, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Non-Persistent Access is temporary access granted for a specific task or purpose.
Separation of Duties is a security principle that ensures no single user has enough privileges to perform critical tasks independently, reducing the risk of misuse or fraud. This is achieved by dividing responsibilities and permissions among multiple individuals or roles, ensuring that critical actions require collaboration and oversight.
PMCA (Privileged Managed Control Access) is a system designed to enforce temporary, controlled access for privileged accounts, ensuring adherence to the Principle of Least Privilege.
Principle of Least Privilege is a security concept limiting access rights to the minimum necessary to perform a job function, reducing potential misuse or unauthorized access.
Privileged Access is administrative access to systems required for backend operations, such as database management, system configuration, maintenance, management tasks, or application deployment.
TA- Account is a temporary administrative account assigned to consultants, vendors, or other external personnel who need time-based privileged access for specific tasks.
TS- Account is a temporary student account assigned to student workers who require limited privileged access for their job responsibilities.
Related Policies and Procedures
- Account Access Change Control Policy
- Emergency Access via Privileged Access Management Policy
- Non-Persistent Administrative Access Guideline
Implementation Information
| Review Frequency | Triennial |
|---|---|
| Responsible Person | Senior Director of IT Security and Assurance |
| Approved By | CIO |
| Approval Date | September 27, 2024 |
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 09/27/2024 | Initial policy |
| 1.1 | 03/05/2025 | Updated policy statement, updated definitions |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.