Privileged Access Control Policy

Purpose

The purpose of this policy is to establish protocols for managing privileged access to systems and applications, ensuring adherence to the principle of least privilege, and enforcing Separation of Duties. It promotes transparency, accountability, and security across the organization through thorough documentation, review, and auditing of access requests.

Scope

This IT security policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the "User(s)" or "you") who use, access, or otherwise employ, locally or remotely, the University's IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

• All requestors must submit detailed and accurate access requests for any system or application and justify the need for access, particularly for elevated or privileged access via ServiceNow.
• Privileged access requests must undergo a thorough Checks and Balances process, regardless of the system or application, to ensure Separation of Duties (SoD).
• At least two authorized approvers (e.g., managing supervisor, IT Resources owner) must evaluate requests for privileged access.
  • Authorized approvers must:
    • Review access requests for all systems and applications in ServiceNow.
    • Evaluate the request details to ensure access is necessary and appropriate for the requestor's role.
    • Verify that privileged access is justified and document their decision-making process in ServiceNow.

• Ensure that access is granted at the minimum level necessary for the requestor to perform their job functions.

• All approvals must be documented in the ITSM system, including the justification for granting access, stored securely and easily accessible for future audits.
• Regular audits must be conducted to ensure compliance with this policy across all systems and applications.
  • All applicable parties must participate in or a frequency as amended pursuant to industry best practices to ensure continued alignment with the principle of least privilege across all systems and applications.
  • Discrepancies or noncompliance must be reported to the relevant authority (e.g., managing supervisor, IT Resources owner), and any unnecessary access rights must be revoked/adjusted promptly to maintain security.

Definitions

Checks and Balances are mechanisms that prevent unilateral control over access by requiring multiple approvals and ongoing reviews, ensuring that access permissions are granted, managed, and monitored by different roles or teams to enhance security and accountability.

 IT Resources include computing, networking, communications, applications, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.

Separation of Duties is a security principle that ensures no single user has enough privileges to perform critical tasks independently, reducing the risk of misuse or fraud. This is achieved by dividing responsibilities and permissions among multiple individuals or roles, ensuring that critical actions require collaboration and oversight.

Related Policies and Procedures

• Account Access Change Control Policy
• Emergency Access via Privileged Access Management Policy

Implementation Information

Revision History

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.