Body
Background
Faculty and staff may have a legitimate need for local administrative rights on University-owned computer devices. Administrative rights may be required to install software and updates, perform computer management tasks, or run some software packages. Typically, such rights are reserved for information technology personnel who are responsible for computer system maintenance and user support.
However, using administrative access for everyday tasks such as reading e-mail, or browsing the web carries an increased risk. Malicious software can take advantage of administrative rights to jeopardize the operational integrity of a computer system. Compromised accounts with administrative rights may allow intruders to disrupt computer or network operations, steal information, or allow unauthorized access to data residing on the system or attached computer devices.
Improperly applied administrative rights may have direct impact the security, availability, stability, and usability of a computer, other Stanislaus State computers, and the University network. For this reason, it is prudent to restrict administrative access to any user who has access to Level 1 data. Routine tasks that do not require local administrative access, such as web browsing and reading of email should be executed using non-administrative or user-level accounts. Stanislaus State will strictly adhere to the principle of “least privilege” when granting local administrative rights.
Purpose
The purpose of this standard is to define information security requirements for requesting, granting/denying, revoking, and proper use of local administrative rights.
Scope
This issuance of the standard applies to University-owned devices and to all individuals who have:
- Access to Level 1 data
- Demonstrated an academic and business need for such access
- Understands the responsibilities associated with this access
- Obtained MPP supervisor and Dean/VP or designee approval
Definitions
1. Local Administrative Rights or Access
- An employee with local administrative rights has unrestricted access to modify the configuration of the operating system level settings, install and update software, and perform other maintenance tasks on their University-owned computer device
2. Least Privilege
- A security principle that advocates an employee should use an account that is granted only the minimum access permissions necessary to complete a task or perform job functions and nothing more
3. Campus Computing Account
- An account that exercises least-privilege permissions by granting minimum access rights necessary for an employee to complete a task
Standard
Compliance Requirements
Per CSU Information Security policies, the University cannot grant local administrative computing device access to an employee’s campus computing account if the employee has access to Level 1 data. If device local administrative access is required, Stanislaus State must ensure that any changes to a computer must go through a change control process.
To request local administrative access to a computing device, please find the process defined below. If approved, local administrative computing device access can be provided to the employee via a separate administrative account.
Standard Process
1. Request Process: By default, employees are granted user-access level on their computing devices. Local administrative access is granted on an as-requested basis for a particular device based on a justification of the need. To request local administrative access:
- Read this Standard and understand the increased risk and responsibility inherent in operating with administrative rights to your University-owned computer device
- Complete and sign the Administrative Rights Request Form
- Submit the form to your local technical coordinator group
2. Approval Granted: If the request for administrative rights is granted, technology staff will create an additional administrator account (username and password) for the computer. This additional Administrative Rights Account is to be used only when you need to have administrative permissions on your University-owned computer and only for the specific purpose the administrative rights were granted to you. The employee must login using their campus computing account credentials.
3. Approval Duration: Due to the evolving nature of information security risks and for auditing purposes, Stanislaus State must retain documentation of all requests as evidence that administrative rights have been properly requested, approved, and reviewed annually to validate that access is still valid and/or that the employee still requires the approved access. The local technical coordinator is responsible for documenting approved local administrative rights for their college/department and reporting to the Information Security Officer annually.
4. Administrative Rights Revocation: As an alternative to acquiring Local Administrator Rights Access, Stanislaus State has trained technology staff (central IT staff and college technical staff) available to help install software on university-owned devices. Locate your local technical coordinator group. Administrative rights may be revoked for the following reasons:
- Employee no longer serves in a role that requires them to perform job tasks
- Employee no longer utilizes software that requires administrative privileges
- New administrative processes or technical capabilities negate the need for local administrative access
- Employee is involved in a data breach of Level 1 and/or Level 2 data that is related directly to their having administrative privileges
- Employee demonstrates unsafe practices while using administrative privileges such as:
- Downloading software that is malicious to the Stanislaus State network and systems
- Downloading unlicensed / illegal software
- Downloading copyrighted material without permission
- Downloading malware to your machine that are specifically attributed to the use of administrative rights
- Modifying or disabling services on the machine that may interfere and prevent with software and system patches, upgrades, or malware and vulnerability scans, and other routine maintenance procedures
5. Employee Responsibilities: Employees granted local administrative access must adhere to the following:
- Comply with all CSU Information Security Policy and Standards and Stanislaus State Information Security Policy and Standards, including Acceptable Use Policy
- Use the campus computing account for all routine work and only use administrative rights account when needed to install or update software
- Use only software in compliance with licensing and contractual agreement per Stanislaus State Procurement Services
- Install and use only software applications and tools required for an employee’s work in support of the University
- Immediately report any system failures and/or security compromises to your local technical coordinator group
- Ensure that University-owned computers:
- Are created from a current standard secure configuration checklist
- Have up-to-date anti-virus software installed and maintained on the computers
- Regular updates to virus definitions and software must remain activated
- Are configured to allow automatic application of software updates through a formal patch management system
Further Information
Information Security Office Email: security@csustan.edu,