Standard 5: Privileged Accounts

Revision Number:

New Standard
Major Revision of Existing Standard
Minor/Technical Revision of Existing Standard
Reaffirmation/Review of Existing Standard

Effective Date:

2/24/2020

Revised Date:

2/24/2020

Review Date:

2/24/2020

Responsible Division/Department:
Office of the CIO / Information Technology Services

Users must be made aware of the privileges granted to their administrative accounts, especially those that impact access to information resources or that allow them to circumvent controls in order to administer the information resource. Anyone using accounts with elevated access privileges of this type must adhere to the following requirements.

All University CTechs will be granted administrative access to the University owned IT devices (e.g., laptops, desktops, tablets, servers) deployed in their respective college, school, or unit. Individuals who use accounts with special privileges (for example, Workstation Administrators) must only use these accounts for their intended administrative purposes.
All access via administrative accounts must be logged to the ITS log management solution to ensure proper accountability and transparency. These logs must be retained according to UNF retention schedules, and routinely audited.
Individuals may not use administrative accounts to perform investigations into the potential misuse of information resources except under the direction of the UNF IT Security team.
All UNF employees with elevated privileges must successfully complete a University background check and must acknowledge their responsibilities by annually completing the privileged access training.
The password for a shared administrative account must change when any individual knowing the password:
1. leaves the department or University;
2. changes roles within the department or University; or
3. upon a change in vendor personnel assigned to University contracts having password access.
For all systems serving out information resources there must be a password escrow procedure in place to enable someone other than the administrator to gain access to the system in an emergency situation (e.g., via Passman).
When access to a University owned IT device's administrative account is required by someone other than an ITS support staff member, the following exception criteria must apply:
1. Individuals must only use the administrative account for special administrative functions and default to a lower privileged user account for other day-to-day use;
2. Individuals must complete training to inform them how they can limit use of their administrative access and still accomplish their primary day-to-day functions.
The IT Security team is required to ensure that all privileged accounts are periodically reviewed for the following:
1. administrative accounts that go unused or are no longer required and remove such access; and
2. for inappropriate use, which shall be raised to management for resolution.