Administrative Account Access Control Implementation Guidelines

The campus will develop a new process for the granting, review and periodic audit of privileged accounts, allowing for policy enforcement, audit and independent third-party review.  Active Directory is one possible solution. Below is an example procedure from Sonoma State:

All campus departments will follow this documented process or an equivalent that meets or exceeds this standard for provisioning initial access, additions, changes, and terminations of access rights for privileged access. The SF State Authorization & Review Form is available at http://tech.sfsu.edu/sites/default/files/Updated%20AdminAccessForm.pdf. The form should also be used to review access of existing account holders. Authorized users and their access privileges should be specified by the data owner, unless otherwise defined by CSU/campus policy.

  • Maintain a list of critical information assets or protected data that users have privileged access including their level of access
  • Document and maintain a list of IT systems in your group that are used to provision user accounts.
  • Inform the requestor or the requesting group regarding the risk that is being assumed by granting access to systems that maybe of critical nature.
  • Document and maintain all approvals or privileges that are granted including creation, changes and termination
  • Maintain an auditable list of various requests at a central location that is easy to track, manage and log reportable in case of audits
  • Maintain formal documentation and approvals for access to on campus information systems such as CMS and other network resources
  • Establish a periodic review/audit cycle to review the currency and validity of all user accounts that you manage and validate this by the business system and or the data owners
  • Controls protecting information assets will extend to include the primary operational copy, data extracts and backup copies.
  • Appropriate authentication controls will be implemented to safeguard unauthorized access to critical and protected information assets and data.

User Account Management

  • Ensure that user accounts are unique to establish identity.
  • Educate users on the important information security concepts related to identity protection and safety
  • Document procedures for disabling and reporting inactive user accounts.
  • Authentication credentials used for access to campus critical information assets and protected data must be unique to each individual and may not be shared unless authorized by appropriate campus management.
  • If approval is granted for shared authentication, the requesting organization must be informed of the risks of such access and the shared account must be assigned a designated owner. Shared authentication privileges must be regularly reviewed and re-approved at least annually.

Granting Access to Third Party Service Providers

• Third party service providers may be granted access to campus information assets only when they have a need for specific access in order to accomplish an authorized task and should not be granted permanent privileged access.
• Access to campus information assets by third party service providers must not be allowed until it has been authorized, appropriate security controls have been implemented, and the Administrative Access Request Form has been filled out and approved.

Segregation of Duties Standard/Best Practice

• Use the principles of separation of duties when assigning job responsibilities relating to restricted or essential resources.
• Maintain an appropriate level of segregation of duties when issuing credentials to individuals who have access to critical information assets and protected data.
• Avoid issuing credentials that allow a user to have excessive authority over critical assets or protected data.

Modifying/Reviewing Access

• Develop procedures to detect unauthorized access and privileges assigned to authorized users that exceed the required access rights needed to perform their job functions.
• Appropriate campus managers and data owners must review, at least annually, user access rights to critical information assets.
• Document the results of the review must be documented and track associated revisions.

Separation or Change of Employment

  • Implement procedures to revoke access upon termination, or when job duties no longer require a legitimate business reason for access, except where specifically permitted by University policy and by the data owner.
  • When an employee voluntarily or involuntarily separates from the University, promptly remove all information system privileges, including all internal, physical, and remote access.
  • Implement procedures to ensure proper disposition of electronic information resources upon termination.
  • All mangers must promptly determine as the data steward of files and identify methods for handling these files
  • Promptly review all electronic and paper files and identify appropriate methods for handling these files.
  • Verify that physical access such as keys and access cards are collected or disabled promptly.

Auditing

Audit or review those system administration functions that are not otherwise audited or reviewed in the course of reviewing personal/general user accounts.|

The campus will develop a new process for the granting, review and periodic audit of privileged accounts, allowing for policy enforcement, audit and independent third-party review.  Active Directory is one possible solution. Below is an example procedure from Sonoma State:

All campus departments will follow this documented process or an equivalent that meets or exceeds this standard for provisioning initial access, additions, changes, and terminations of access rights for privileged access. The SF State Authorization & Review Form is available at http://tech.sfsu.edu/sites/default/files/Updated%20AdminAccessForm.pdf. The form should also be used to review access of existing account holders. Authorized users and their access privileges should be specified by the data owner, unless otherwise defined by CSU/campus policy.

  • Maintain a list of critical information assets or protected data that users have privileged access including their level of access
  • Document and maintain a list of IT systems in your group that are used to provision user accounts.
  • Inform the requestor or the requesting group regarding the risk that is being assumed by granting access to systems that maybe of critical nature.
  • Document and maintain all approvals or privileges that are granted including creation, changes and termination
  • Maintain an auditable list of various requests at a central location that is easy to track, manage and log reportable in case of audits
  • Maintain formal documentation and approvals for access to on campus information systems such as CMS and other network resources
  • Establish a periodic review/audit cycle to review the currency and validity of all user accounts that you manage and validate this by the business system and or the data owners
  • Controls protecting information assets will extend to include the primary operational copy, data extracts and backup copies.
  • Appropriate authentication controls will be implemented to safeguard unauthorized access to critical and protected information assets and data.

User Account Management

  • Ensure that user accounts are unique to establish identity.
  • Educate users on the important information security concepts related to identity protection and safety
  • Document procedures for disabling and reporting inactive user accounts.
  • Authentication credentials used for access to campus critical information assets and protected data must be unique to each individual and may not be shared unless authorized by appropriate campus management.
  • If approval is granted for shared authentication, the requesting organization must be informed of the risks of such access and the shared account must be assigned a designated owner. Shared authentication privileges must be regularly reviewed and re-approved at least annually.

Granting Access to Third Party Service Providers

• Third party service providers may be granted access to campus information assets only when they have a need for specific access in order to accomplish an authorized task and should not be granted permanent privileged access.
• Access to campus information assets by third party service providers must not be allowed until it has been authorized, appropriate security controls have been implemented, and the Administrative Access Request Form has been filled out and approved.

Segregation of Duties Standard/Best Practice

• Use the principles of separation of duties when assigning job responsibilities relating to restricted or essential resources.
• Maintain an appropriate level of segregation of duties when issuing credentials to individuals who have access to critical information assets and protected data.
• Avoid issuing credentials that allow a user to have excessive authority over critical assets or protected data.

Modifying/Reviewing Access

• Develop procedures to detect unauthorized access and privileges assigned to authorized users that exceed the required access rights needed to perform their job functions.
• Appropriate campus managers and data owners must review, at least annually, user access rights to critical information assets.
• Document the results of the review must be documented and track associated revisions.

Separation or Change of Employment

  • Implement procedures to revoke access upon termination, or when job duties no longer require a legitimate business reason for access, except where specifically permitted by University policy and by the data owner.
  • When an employee voluntarily or involuntarily separates from the University, promptly remove all information system privileges, including all internal, physical, and remote access.
  • Implement procedures to ensure proper disposition of electronic information resources upon termination.
  • All mangers must promptly determine as the data steward of files and identify methods for handling these files
  • Promptly review all electronic and paper files and identify appropriate methods for handling these files.
  • Verify that physical access such as keys and access cards are collected or disabled promptly.

Auditing

Audit or review those system administration functions that are not otherwise audited or reviewed in the course of reviewing personal/general user accounts.