Administrative Rights

I. PURPOSE

1. This policy is required to aid in the development of a secure computing environment where unique challenges exist due to the diverse community being supported (Education, Business, and Religious).
2. Statistics have proven that an overwhelming majority of vulnerabilities can be mitigated against by simply removing administrative rights from users and it comes at little to no cost to an organization. User computers (access layer of the network) are where many of the greatest risks to enterprise security lie, and giving users controlover those endpoints only opens networks to more risk. Best practice is using what’s called a "least privileged" model for controlling access to sensitive information.Meaning, unless your job truly requires access to it, you don't get any access to it.
3. With respect to members of the Saint Vincent College Faculty, this document is not meant to conflict with, alter or modify in any way the policies and procedures set forth in Section 4.2 (Computer Usage) of the Faculty Handbook. To the extent that there is any perceived inconsistency between Section 3.4.2 and this document, the provisions of Section 3.4.2 prevail with respect to any matter dealing with a member of the College Faculty. This policy also does not supersede any provision of the College’s Acceptable Use Policy, IT Security Policy, or PCI DSS Security Policy.

II. Impact

1. Participants (scope): All end users (administration, faculty, staff, students, monks, priests, and alumni with accounts) of the Saint Vincent community.
2. Implementation: CIO is responsible for implementation and
3. Other Affected Parties: All
4. Potential Impact: There is a substantial budgetary, legal, and logistical impact required to ensure this policy is enforced.

III. COMPLIANCE

1. Strategic Plan (if applicable): IT Strategic
2. Applicable Laws (if applicable): Policy makes best effort to support compliance of the IT International Mobile Computing policy, Acceptable Use Policy, PCI Security Policy, GLBA Safeguards Rule, GDPR, DMCA, HEOA, CALEA, HIPAA, CAN-SPAM Act, Fair Credit Reporting Act, USA PATRIOT Act, FTC Red Flags Rule, Fair and Accurate Credit Transactions Act, and dozens of other privacy/security- related laws and regulations.
3. Authorization: President and CIO have authorization for approving this policy.
4. Exceptions: Any member of the President’s Senior Cabinet/Council can request day- to-day policy exceptions, but notice should be provided accordingly as granted.

IV. POLICY AND PROCEDURE ELEMENTS:

1. Index: N/A
2. Definitions: N/A
3. Statement of Need, History: The College, Archabbey, Seminary, and Parish continue to change, grow and embrace an increased use of technology to support its institutional goals and mission.
4. Body of policy and procedures: As follows:

As a community of educators, students, business people, and religious leaders committed to the values and perspectives of the Catholic Benedictine tradition, we recognize the potential benefit, as well as danger, in the use of technology. Consequently, we make careful use of the products of science and technology in order that we might responsibly fulfill our callings as students, faculty, staff, monks, and priests. We are stewards of technology and therefore, acknowledge our accountability to one another and to the mission of Saint Vincent.

Each member of the Saint Vincent community is responsible for the security and protection of electronic information resources over which he or she has control. Resources to be protected include networks, computers, mobile devices, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. This Administrative Rights policy is not exhaustive in coverage, but rather provides the essential framework, guidelines, and recommendations to secure computing in today’s technological environment.

On Windows and Macintosh computers, a user requires special administrative privileges to:

• install software
• perform updates
• modify system settings
• manage users

Specifically on Windows computers, these tasks are restricted by default since they can have a profound impact on the stability and usability of a computer. On Macintosh computers, these tasks are not currently restricted because of the specific way in which Macintosh has configured its Operating System. Thus, users of Macintosh devices are granted an Authorized User status (see below), however IT is in search of a product(s) that would create the ability to have the above tasks restricted by default, similar to Windows computers.

Due to the availability of trained and experienced IT support staff and the inherent dangers of inappropriate, uninformed, or unintentional use of logins with administrative rights, the IT

Department’s policy is to restrict the use of administrative rights. The CIO has the ability to make an exception to the rule of restriction if a unique situation warrants the need for a user to have admin rights (see Authorized User Status below).

This IT policy on administrative rights is intended to support the goal of ensuring the highest level of stability and usability for computers. This is based on the premise that computers are primarily a productivity tool where stability and usability are most important. In such an environment, limiting administrative privileges (least privileged model) is an IT “best‐practice” because change management is one of the foundations of providing a stable computing environment.

Authorized User Status

Administrative rights are typically reserved for IT personnel who are responsible for providing administrative services such as system maintenance and user support. However, in unique instances, administrative rights may be issued to faculty and/or staff (non-IT user) on either a temporary or ongoing basis to perform tasks within the scope of their employment. Non-IT users who have been granted administrative rights on their workstations would be considered authorized users, but may not have the same allowances and stipulations of IT personnel.

A user should never share an account or password with anyone. For applications that do not force password changes, authorized users are expected to change their passwords frequently to help prevent unauthorized access and misuse. Authorized users are also responsible for reading and adhering to all IT policies.

An authorized user has admin rights made available through the creation of a secondary account, known as a “raised access account”, with the format of fname.lname#. A “raised access account” is created for the direct purpose of maintaining the computer resources through admin rights to the local computer. The user (IT and non-IT) must not only demonstrate the ability to configure and manage workstations, but also demonstrate that they understand the responsibility of maintaining appropriate security measures.

The authorized user (IT and non-IT) is responsible for the proper use of the device and the account including password maintenance guidelines and file protection measures (refer to the IT Acceptable Use Policy and the IT Security Policy).

If an authorized user (IT and non-IT) abuses his/her administrative access, causes repeated support/security problems, or violates this policy in any way, such user will immediately have administrative rights revoked and the CIO may seek to employ other sanctions as necessary.

Stipulations specific to the non-IT authorized users:

• In order for a non-IT user to be granted “authorized user” status, the user must produce written justification that they cannot perform their necessary work under the current policy restriction and their request must also be supported by the Supervisor or A Justification Form with Accountability Waiver (Appendix A) is available through the IT Service Desk.
• Admin rights are given to the non-IT authorized user for the direct purpose of maintaining the computer resources requested in the justification, but no portal account is created and no email account is created.
• A “raised access account” is typically provided to a non-IT user when a unique situation occurs that warrants the need for such user to have admin rights to a specific device that the user has within their area of responsibility.
• If the device is an Internet facing device/server:
  1. the user must submit an IT request prior to installation/update of the software in order to keep IT informed of such changes
  2. the user must sign an Accountability Waiver (noted within the Justification Form)
  3. the user is responsible for maintaining operating system software to mitigate the risk of vulnerabilities

• If the device is located in a Lab (PC) environment, the user is required to submit an IT request to record with IT the software they are installing and licensing if it is not freeware for academic use.
• The non-IT authorized user should not make changes that would adversely affect the ability of IT to properly service the device. Examples: altering the Admin Account, removing IT installed software, modifying core windows features as in Windows Firewall, Detailed requirements can be found in the Justification Form (Appendix A).

As an alternative to personally acquiring administrator rights on the user’s computer, (which will be the standard for most all non-IT users), the IT Department highly recommends that the user submit an IT request via the email address servicedesk@stvincent.edu, AND then call the IT Service Desk at 724-805-2297 to ensure that an IT support person will make themselves readily available to service the request promptly. Each request will be logged through the IT Service Request database to not only ensure a proper response, but to record that the highly important request was submitted on a particular day and time.

APPENDIX A: Justification Form with Accountability Waiver

Approved By: Br. Norman Hipps, President
Approved Date: 7/6/18
Effective Date: 7/6/18
Revised Date: 7/6/18
Author: P. Mahoney, CIO