IT Administrator/Special Access:    IS

 

PURPOSE:

The purpose of this policy is to provide a set of measures that will mitigate information security risks associated with IT Administrators/Special Access.

IT Administrators/Special Access is defined as users that have elevated account privileges. Therefore, these privileges must be restricted and granted only to those with an academic or business justification. Administrator accounts and other special-access accounts may have extended and overarching privileges.  Thus, the granting, controlling and monitoring of these accounts is extremely important to the overall SPC information security program.  The extent of access privileges granted or used should not exceed that which is necessary.

 

SCOPE:

The SPC IT Administrator/Special Access Policy applies equally to all individuals who have, or may require, special access privilege to any SPC information technology resources.

 

POLICY STATEMENT:

Appropriate security levels and requirements must be determined for all special access accounts that utilize SPC information technology resources. In order to safeguard information technology resources, the following controls are required:

  1.  All users of Administrative/Special Access accounts must have account- management instructions, documentation, and authorization.
  2. All users must sign the SPC Non-Disclosure Agreement and be current on their annual Security Awareness Training, before access is given to an account.
  3. Each individual who uses special access accounts must use the account privilege most appropriate with work being performed (i.e., user account vs. administrator account).
  4. Each account used for special access must comply with the “Passwords” guidelines stipulated in the SPC User Accounts Password Policy (IC).
  5. The password for a shared special access account must change when an individual with the password leaves the department or SPC, or upon a change in the vendor personnel assigned to the SPC contract. The account must also be re-evaluated as to whether it should remain a shared account or not. Shared accounts must be kept to an absolute minimum.
  6.  In the case where a system has only one administrator, a password escrow procedure must be in place so that someone other than the administrator can gain access to the administrator account in an emergency situation.
  7. When special access accounts are needed for audit, software development, software installation or other defined need, special access must be:

a. Authorized by the system owner or the Associate Dean for Information Services (acting as the Information Resource Officer and Information Security Office as a part of administrative responsibilities, yet does not hold the title as a part of official documentation with Human Resources). (E.g., SPC-IS Client Services is the system owner for all SPC desktops, laptops, and tablets.)

b. Created with a specific expiration date or annual review date.

c. Removed when work is complete.

8. All privileged commands issued in association with special access must be traceable to specific individuals via the use of comprehensive logs.

 

DEFINITIONS:

Information Resources Manager (IRM): Officer responsible to the State of Texas to manage SPC information technology resources.

Information Security Officer (ISO): Officer designated to administer the College Information Security Program.

IT Administrators/Special Access:  users that have elevated account privileges that must be restricted and granted only to those with an academic or business justification.

Mitigate:  The elimination or reduction of the frequency, magnitude, or severity of exposure to risks in order to minimize the potential impact of a threat.

Non-Disclosure Agreement: Formal acknowledgement that all employees must sign acknowledging they have read and understand SPC requirements regarding computer security policies and procedures. This agreement becomes permanent record and will be renewed annually.

System/Data Owner: Departmental position responsible for classifying business data, approving access to data, and protecting data by ensuring controls are in place.

 

Related Policies, References and Attachments:

An index of approved SPC-IS policies can be found on the SPC Policies website at https://www.southplainscollege.edu/human_resources/policy_procedure/?%20.  The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.

 

Approved by: Executive Council, September 24, 2018

Next Review: October 1, 2020