POLICY DRAFT - Updated: 9-1-2015
Introduction
Requirements for Privileged Access
- Privileged access is only granted to employees requiring special access to perform their job responsibilities.
- Eligible employees are required to sign and agree that they have read, understand it, and will comply with the policy prior to being granted privileged access.
Administrative credentials are not to be shared or disclosed under any circumstance, except with the express approval of the CIO.
Employees with Privileged Access agree to:
Use Privileged Access Appropriately
- Administrative credentials are not to be used as a primary login for non-privileged access and activities.
- Privileged access may only be used when performing administrative job duties that require elevated permissions.
Respect Privacy
- Never “browse” through the personal or institutional data while using the powers of privileged access, unless such browsing is a specific part of their job description (e.g. computer auditor); is required during file system repair, management, or restoration; is necessary to investigate suspicious or system-impairing behavior; or is specifically requested by, or has the approval of, the person who authorized the privileged access.
- Investigative activities must be authorized by the SPU president, provost, VP or the CIO. See Privileged Account Audit and Usage Policy for details.
- Take responsibility to protect the confidentiality of any information they encounter while performing their duties.
- Never disclose, to any unauthorized person, computer information observed while operating with privileged access.
- Not copy any computer information for any purpose other than those authorized under defined job responsibilities.
Protect Institutional Data
- Not intentionally or recklessly damage or destroy any institutional data.
- Not take actions on computer systems under their charge that will impair the integrity or security of that system or other University systems.
- Not modify or delete data unless it is done in accordance with SPU policies and procedures.
Enforce Security and Legal Compliance
- Use all available protections to safeguard computer system(s) under their charge from unauthorized access by any person or another computer.
- Report all suspicious requests, incidents, and situations regarding an SPU computing resource to an appropriate member of management or the CIO.
- Comply with all computer security standards and policies in force at SPU.
- Not attempt to gain or use privileged access outside of assigned responsibilities, or beyond the time when such access is no longer required in job functions.
- Not tell or disclose to any unauthorized person the information required to gain privileged access, or to engage in careless practices that would reveal that information to unauthorized persons.
- Not change or develop any computer software in such a way that would (1) disclose computer information to unauthorized persons or (2) make it possible to retain any special access privilege, once that authorized privilege has been terminated by management.
- Not do special favors for any user, member of management, friend, or any other person regarding access to SPU computing resources in a manner that would circumvent prevailing security protections or standards.
- Maintain awareness and responsibility for complying with all applicable laws, regulations, policies, and procedures.
Granting of Permissions
Many Privileged Users have the ability to grant access SPU systems and/or Institutional Data they administer, including the ability to grant others privileged user access to that system. Privileged Users are responsible for permissions they grant as follows:
Supervisors and admins approving or granting privileged access are accountable for any abuse of privileged access if proper procedures were not followed when granting said access.
When granting permissions, Privileged Users are responsible for:
- Following any policy or procedure governing the granting of permissions or access related to the system in question.
- Receive authorization from a system owner, supervisor, or other administrator authorizing the granting of permissions.
- Questioning the requester and/or approver to ensure appropriate access is being granted.
When Granting Privileged Access, Privileged Users are responsible for:
- Following all the above noted responsibilities for granting permissions.
- Referring new privileged user to training materials, documentation, and/or policy relevant to their new access.
- Receiving a copy of this policy, signed by the requester, department approver, and approving IT director.
- Following a least privileges methodology, granting on access required by the grantee's job duties and nothing more.
When granting permissions, Approvers are responsible for:
- Following any policy or procedure governing the granting of permissions or access related to the system in question.
- Verifying with the grantor that the access/permissions are appropriate for the requester.
Provisions for Revocation of Privileged Access
Users with privileged access must always be aware that these privileges place them in a position of considerable trust. Users must not breach that trust by misusing privileges or failing to maintain a high professional standard.
Violation of the terms in this agreement are reported to the CIO, will be dealt with seriously, and may subject the employee to loss of privileged access, and/or disciplinary action, including but not limited to termination of employment. Illegal acts involving SPU computing resources may also be subject to prosecution by all applicable federal, state, and local authorities.
Definition of Terms
Term | Definition |
---|---|
Access | To view, use, or change information. |
Authorized duties or activities | Duties or activities that are established by those with appropriate authority (e.g., department head, director, dean, manager, or supervisor) related to the role or function of the employee. |
Confidential | Confidential Information is information that is very sensitive in nature, and requires careful controls and protection. Unauthorized disclosure of this information could seriously and adversely impact Seattle Pacific University or the interests of students, other individuals and organizations associated with SPU. Examples include: personally identifiable information, protected health information, employment records, student records, financial records, social security numbers, credit card numbers, legally protected University records, and passwords. |
Confidentiality | Expectation that information will be protected from unauthorized use or disclosure. |
Institutional Data | Any and all data that is collected and maintained by Seattle Pacific University related any university operations. |
Disclose | Make known, reveal, release, transfer, or provide access to information in any manner. |
Personally | Personally Identifiable Information (PII) is information that is a subset of individual and student information, including demographic, financial, or sensitive information collected from an individual and:
|
Privileged User | Any individual granted privileged access to information, systems, or databases at at Seattle Pacific University that extends beyond one’s access to one’s own self-service data. |
Protected Health Information (PHI) | Protected Health Information is protected by HIPPA and is a subset of personally identifiable information maintained in permanent health records and/or other clinical documentation in either paper-based or electronic format. |
Proprietary information | Seattle Pacific University possesses exclusive rights over the information within its systems. This includes business plans, academic records, financial information or other sensitive materials and information in printed, electronic or signed/spoken form that may affect employee rights or the organization’s operations. |
Safeguard | Protect or cover from exposure, using precautionary measures. |
System Administration | System administration duties consist of all aspects of managing a technology-based information system, including but not limited to, user administration, front-office and back-office hardware and software configuration and management, data base administration, and network, domain, and other technology infrastructure management. |