TTUHSC IT Policies
1.4.3 ADMINISTRATOR/SPECIAL ACCESS
This policy provides a set of requirements for the regulation and use of administrator or special access on the TTUHSC systems. This policy will provide a mechanism for the addition and removal of people from special access in the Active Directory domain and a mechanism for periodic reviews of the administrator/special access database.
Special Access will need to be requested by the information owner or designee and submitted to the I.T. Solution Center at http://www.ITSolutions.ttuhsc.edu
Regulation of Special Access Accounts:
- Special access on TTUHSC system is maintained and monitored by both Data Center Operations and the Information Security Officer.
- Passwords for special access accounts are changed on a regular basis as determined by Institutional policy.
- Special access is only provided to individuals who need the access to perform their job.
- Any misuse of special access privileges must be reported to the TTUHSC Information Security Officer when discovered.
- Persons requesting special access must follow all procedures outlined in the Special Access Guidelines.
- Persons who misuse their special access privilege can have special access revoked and may face Institutional disciplinary action (See Policy 10 - Disciplinary Process)
- Special access is reviewed on a periodic basis as defined below.
- All persons who currently (prior to the approval of this policy) have special access are required to submit a completed Special Access Request form and a signed Special Access Guidelines agreement.
Performing a Periodic Review of the Special Access Database
A review of special access will be made on an annual basis or as determined by the TTUHSC Information Security Officer. The review process will involve the following steps:
- A report will be generated from Active Directory. The report will list: special access by system and access type; and access by person (i.e., for each person, all access given to that person is listed).
- The reports will be distributed to the Information Security Officer, the Manager of the Data Center, and the manager of users given special access. Each person reviews the list (or appropriate part of) to determine if any changes should be made.
- Should anyone determine that an individual needs to be added to other special access groups, that individual must submit a Special Access Request form requesting the additional access.
- If there are any deletions to be made to the permissions, the Manager of the Data Center will make the appropriate changes.
Special Access Guidelines
This agreement outlines the use of special access on TTUHSC computers. Special access is defined as having domain access other than as a domain user. The TTUHSC environment is very complex and dynamic. Due to the number and variety of computers and peripherals, special access must be granted to numerous people so the TTUHSC facility can be properly supported. People with special access must develop the proper skill for using that access responsibly.
The Special Access Guidelines have been developed to help people to use their special access in a responsible and secure manner. All persons requesting special access must read and follow these guidelines.
- Be aware of your TTUHSC computing environment.
- Always log on systems where you have an account as yourself. Any action done under a special access account should have an audit trail.
- Use special access only if necessary.
- Many system tasks require the use of root or other special access. However, there are many tasks that can be done without the use of special access. When at all possible use regular accounts for trouble-shooting and investigating.
- Complete the appropriate Change Request processes specified in Section 1.4.5. Document all major actions and/or inform the appropriate people.
- Documentation provides a method to analyze what happened. In the future, others may want to know what was done to correct a certain problem. The Lead System Analyst or Manager of the Data Center is to be informed BEFORE any changes are made to system specific or configuration files.
- Have a backup plan in case something goes wrong. Special access, especially root or administrative access has a large potential for doing damage with just a few keystrokes. You must be able to restore the system to its state before the error occurred.
- With the use of special access, situations arise that have never come up before. Although TTUHSC has many written procedures, they do not cover every circumstance possible. If any doubt exists about how you should proceed on a problem, ask for assistance.
Specific Considerations Regarding Special Access
- Do not share special access passwords with anyone.
- Do not write down the special access passwords or the current algorithm.
- Do not routinely log onto a system for which you have an account, as “root” or any other special access account.
- Do not read or send personal mail, play games, read the net news or edit personal files using a special access account.
- Do not browse other user’s files, directories or email using a special access account.
- Do not make a change on any system that is not directly related to your job duties. The TTUHSC System Administration Handbook states “The Lead System Analyst is responsible for approving all changes to the systems(s) of his/her responsibility. No changes are to be made to any system configuration file or executable file without prior approval of the Lead System Analyst and Manager of the Data Center.” Making a change AND then informing the Lead System Analyst is considered a violation of this guideline.
- Do not use special access to create temporary files or directories for your own personal use.