Skip to Search Skip to Global Navigation Skip to Local Navigation Skip to Content
Handbook of Operating Procedures
Chapter 8 - Facilities and University Services
Publication Date: December 12, 2014
Responsible Executive: VP for Academic Affairs


8.18 Position of Special Trust


I. POLICY STATEMENT


The University of Texas at San Antonio (UTSA) relies significantly on a wide variety of Information Resources to achieve its missions. The UTSA Office of Information Security (OIS) and the Office of Information Technology (OIT) are responsible for administering programs that create a reliable and secure UTSA computing environment. In order to maintain the security and integrity of the computing infrastructure, every effort must be made to protect the Data, intellectual property and Information Resources used to carry out UTSA business.

UTSA faculty, staff and other employees are responsible for the security of UTSA Data they access, process, maintain, transmit and store. In addition, employees of UTSA granted elevated or special administrative access privileges, (those in Positions of Special Trust) must take additional measures to protect those Information Resources.


II. RATIONALE


Individuals placed in a Position of Special Trust by their department are granted elevated administrative privileges to UTSA Information Resources and therefore have a greater responsibility to ensure no harm comes to the Information Resources or Data by the use of those privileges.


III. SCOPE


This policy affects all Positions of Special Trust. Violations of university policies, standards, and procedures pertaining to custodians of UTSA's Information Resources and confidential information may be subject to disciplinary action up to and including termination of employment.


IV. WEBSITE ADDRESS FOR THIS POLICY


http://www.utsa.edu/hop/chapter8/8-18.html


V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS


UTSA or UT System Policies or the Board of Regents' Rules & Regulations

  1. UT System Policy INT124, Information Resources Acceptable Use and Security Policy
  2. UT System Policy UTS165, UT System Information Resources Use and Security Policy
  3. UT System Policy UTS178, Required Reporting of Significant Events 
  4. UTSA HOP policy 8.15, Acceptable Use Policy

Other Policies & Standards

  1. Title 1 Texas Administrative Code, Part 10, Chapter 202, Subchapter C
  2. Texas Computer Crimes Act, Title 7, Chapter 33 Computer Crimes

VI. CONTACTS


If you have any questions about HOP policy 8.18, Positions of Special Trust, please contact the following office: 

Office of Information Technology (OIT) or Office of Information Security (OIS)
(210) 458-4555


VII. DEFINITIONS


A full list of definitions related to Information Resources Acceptable Use can be found in UT System Policy UTS 165, Information Resources Use and Security Policy.

Data: Information which is recorded – regardless of form or media – that is used to support the business of UTSA, whether in an administrative or research capacity.  Data may be saved or transmitted in hard copy (printed or written), digital/electronic (including video, audio, images) or other format.

Data Classification: At UTSA, Data is classified as Category I (confidential), Category II (controlled) or Category III (published/public data), with each category subject to its own protection requirements and processes.  More information, including definitions, protection requirements and examples of Data can be found in the Standard for Data Classification.

Data Owner: The manager or agent responsible for the business function supported by the Information Resource or the individual upon whom responsibility rests for carrying out the program using the Information Resources. 

Information Resources:  The procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.  This may include but not limited to any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, mobile devices,  pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment ( e.g., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and hosted services.

Information Security Officer (ISO): Staff member responsible for providing and administering the overall information security program for all centrally maintained and all distributed systems and computer equipment.

Position of Special Trust: Users  assigned accounts granted by UTSA whose privileges allow them broad access to Category 1I data, Category 2II data, modification of account information (such as example: changing/resetting passwords), or systems with the capability of causing widespread outages to computer resources. 

Server: A computer system that provides shared resources on the network (For example, Web server, print server, file server).

User: An individual who is authorized by the Data or Information Owner to access the information resource, in accordance with the Data Owner's procedures and rules. The User is any person who has been authorized by the Data Owner to read, enter, or update that information whether done individually or through facilitation or responsibility for an automated application or process. The User is the single most effective control for providing adequate security.


VIII. RESPONSIBILITIES


  1. User in a Position of Special Trust
    1. Complies with all applicable policies and guidelines.
    2. Informs management and OIS of any potential incident, threat or issue that may compromise the security of protected Category I or II Data, as soon as possible.
    3. Takes appropriate/additional steps to protect Category I or II data from unauthorized access or inadvertent disclosure.
    4. Identifies areas of concern that would lessen the impact or likelihood of an information access or disruption issue.
    5. Takes additional precautions when performing day to day tasks using the access granted.
    6. Uses the Information Resource only for the purpose specified by the Data Owner.
    7. Complies with controls established by the Data Owner.
    8. Prevents disclosure of Category I and Category II Data.
  2. Information Security Officer
    1. Reviews and maintains the contents of the information resources (including training) related to Positions of Special Trust.
    2. Maintains a list of systems that require employees in a Position of Special Trust access to those systems to follow this policy and related standards.
  3. UTSA Managers/Supervisors
    1. Ensures that Users who are in positions of Special Trust have reviewed necessary materials related to Positions of Special Trust and signed the Positions of Special Trust Acknowledgement Form.
    2. Immediately informs OIS of any potential incident, threat, or issue that may compromise the security of Category I or Category II data.

IX. PROCEDURES


  1. Positions of Special Trust Acknowledgement Form
    1. Prior to providing access to a system covered by this policy or its related standards, the manager authorizing access will notify employee that it requires a Positions of Special Trust Acknowledgement Form to be completed.  Managers needing assistance in determining whether a Positions of Special Trust Acknowledgement Form is required may contact OIS.
    2. Employee in Positions of Special Trust should review this policy, the acknowledgement form and other related resources.
    3. The manager/department will retain the form.
    4. The Positions of Special Trust Acknowledgement Form should be completed annually by employees designated as being in a Position of Special Trust.
  2. Procedures for Users in a Position of Special Trust
    1. Carry out so as to prevent errors that may be costly or adversely affect UTSA Users.
    2. Recognize and address the possibility of such errors, and follow all defined procedures.
    3. Use accounts with special privileges (e.g., System Administrators, Database Administrators, and Network Administrators) only for their intended administrative purposes.  Generally, a staff member would have a separate log on ID that grants elevated access to a system or server.
    4. Make immediate supervisor aware of issues or process defects which should be addressed to minimize risks of disruption of information services or Data breach.
  3. Additional information can be found in the Standard for Position of Special Trust. This standard contains a discussion of Elevated Access Privileges, General Standards and Guidelines, a list of applications that require a POST form and other miscellaneous information.

X. SPECIAL INSTRUCTIONS FOR INITIAL IMPLEMENTATION


None


XI. FORMS AND TOOLS/ONLINE PROCESSES


Classifying your Data: Data Classification Examples


XII. APPENDIX


None