[unisog] Administrative and Privileged Access Policy - Clarification of request
Jim.Dillon at cusys.edu
Wed Mar 19 20:32:52 GMT 2003
Given a couple of responses so far, I thought I might clarify our request a bit.
Another way of defining the standards/guidelines we want to develop is to consider the following questions:
"What are the responsibilities requisite with the granting of privileged or administrative access? What are system admins accountable for in their behavior regarding the high level of authority they are granted to perform their tasks? What things might constitute misuse or abuse of the privileges granted with broad system authority?"
If you have standards or guidelines addressing this sort of thing, we'd appreciate them. If your AUP type policies specifically define rights, privileges, and limitations of admin/privileged access, we'd appreciate pointers to them as well. One example of where our policy restricts privileged access is in the definition of authority for access to "individual" data. In other words, machines and data used by individuals for their own work purpose (vs. shared/group resources) have an expectation of privacy that requires the documented approval of a dean or chancellor prior to accessing the data files on that "individual use" machine, or the post-notification in case of emergency access requirements. Whether you agree with this example or not, it is other such examples defining privileged access responsibilities that we seek.
At 11:12 AM 3/19/2003, you wrote:
>One of our campuses has recently finalized a new AUP which defines not
>only end user rights and responsibilities, but also defines some
>expectations for "privileged access."
>We would like to develop some standards and guidelines for
>administrative/privileged access to publish or have administrators
>acknowledge as part of their work agreement. If any of you has such an
>agreement (rights and responsibilities of system administrators/privileged
>access) or standards guideline we'd appreciate a copy or a pointer to it
>if it is online. The goal is to be comprehensive and ensure we don't
>overlook anything useful or innovative someone else has already
>developed. Feel free to send responses directly to me at the email
>address in the sig block below.
>Thanks and best regards,
>Jim Dillon, CISA
>IT Audit Manager
>University of Colorado
>jim.dillon at cusys.edu
>Dept. Phone: 303-492-9730
More information about the unisog