STANDARD FOR ADMINISTRATIVE OR SPECIAL ACCESS
The University of Texas at San Antonio
Office of Information Technology
Office of Information Security (OIS) Standards
OIS 2 Standard for Administrative or Special Access
I. STANDARD STATEMENT
The UTSA Standard for Administrative/Special Access establishes the rules for the creation, use, monitoring, control and removal of accounts with special access privileges for the maintenance of information resources.
This standard supports HOP Policy 8-12 Information Resources Use and Security Policy
This standard applies to all UTSA faculty, staff, and students.
If you have any questions about OIS 2 Standard for Administrative or Special Access contact the following office:
The Office of Information Security
1. Special Access is granted to allow a user to administer a computer application.
2. Administrative Access (also known as "admin rights") allows an individual to have control of their workstation. All requests for administrative rights must be approved by the user's supervisor. To request administrative rights for a workstation, contact OITConnect, via email at firstname.lastname@example.org or by calling 210-458-5555.
3. The UTSA Administrative/Special Access Standard applies equally to all individuals that have, or may require, special access privilege to any UTSA information resources.
For Special Access
- All users must sign the UTSA Information Resources Security Acknowledgement and Nondisclosure Agreement before access is granted.
- All users of Administrative/Special Access accounts must be provided with account management instructions, documentation, training and authorization.
- Each individual who uses an Administrative/Special Access account must refrain from abuse of this privilege. Periodic random audits will be conducted to ensure proper use of the account.
- Each individual who uses an Administrative/Special access account must use the account most appropriate for the work being performed (i.e., user account vs. administrator account).
- Each account password must meet the UTSA Standard for Passwords and Passphrases .
- The password for a shared administrator/special access account must be changed when a password holder leaves the department or UTSA, or upon a personnel change of the vendor assigned to a UTSA contract.
- If the system has only one administrator, there must be a password escrow procedure in place so someone other than the administrator can gain access to the administrator account in an emergency situation. The procedure will be audited on a regular basis.
- When Special Access accounts are needed for audit, software development, software installation or other defined need, they:
- Must be authorized by the system owner, IRM or Information Security Officer (ISO)
- Must be created with a specific expiration date
- Must be removed when work is complete.
- The use of privileged commands must be traceable to specific individuals via the use of comprehensive logs.
For Administrative Rights
- Users with administrative rights to their individual workstation must be made aware that it can be easier for an attacker to gain full access to the computer if it becomes compromised. An attacker can:
- Install programs or malware that allow full access to all of the data on the computer
- Gain access to the data for all user profiles defined on the computer
- Install commands that automatically run at boot up
- Replace critical system files with Trojan horses
- Reset the user password
2. Users with administrative rights to a workstation must take steps to mitigate attacks:
- Ensuring their log on credentials are protected
- Ensuring the workstation is protected by up-to-date antivirus software
- Avoiding suspicious websites
- Avoiding (not clicking) links in suspicious email messages
Effective Date: October 31 2011
Last Revised: January 27, 2014
Last Reviewed: June 6, 2017