STANDARD FOR POSITION OF SPECIAL TRUST
The University of Texas at San Antonio
Office of Information Technology
Office of Information Security (OIS) Standards
OIS- 41 Standard for Position of Trust
I. STANDARD STATEMENT
The University of Texas at San Antonio (UTSA) relies significantly on a wide variety of Information Resources to achieve its missions. The UTSA Office of Information Security (OIS) and the Office of Information Technology (OIT) are responsible for administering programs that create a reliable and secure UTSA computing environment. In order to maintain the security and integrity of the computing infrastructure, every effort must be made to protect the Data, intellectual property and Information Resources used to carry out UTSA business.
Individuals placed in a Position of Special Trust by their department are granted elevated administrative privileges to UTSA Information Resources and therefore have a greater responsibility to ensure no harm comes to the Information Resources or Data by the use of those privileges.
This standard applies to all UTSA faculty, staff, and students.
If you have any questions about OIS 41 – Standard for Position of Special Trust contact the following office:
The Office of Information Security
- A person in a position of special trust must ensure that all of the systems for which they are responsible are in compliance with InSight application metrics, including but not limited to:
- Must have antivirus software installed and updated.
- Must meet all encryption standards.
- Must be reporting to the InSight application.
- Must be a member of the Active Directory domain.
- Must have all approved patches/updates installed.
- Individuals in a position of special trust should:
- Document areas of concern and present to management.
- Only use high level / administrative access when required. All other times, use your normal levels of access.
- Participate in specialized training, as assigned.
- Dot "I's" and cross "T's" when working with high level access or "Tools of Mass Disruption."
- Carelessness and negligence in positions of special trust will not be tolerated.
- Elevated Access Privileges.
- Elevated access privileges are granted to those individuals who require the ability to access resources that are usually restricted from standard users.
- If an elevated access privilege account is compromised, an unauthorized user could cause serious harm to the computer network. Therefore, this type of account should only be used to access the required resources. For all other activities, the user should log on using their regular user account.
- General Listing of Systems that Require a Position of Special Trust Form to be completed by users.
- While some systems may have been inadvertently omitted, the following systems / platforms require a POST form to be completed by those with access:
- PeopleSoft/DEFINE administrators
- Banner Administrator, Database Administrator, Programmer
- Blackboard Administrator
- Network Administrator
- Positions of Special Trust Acknowledgement Form
- Prior to providing access to a system covered by this policy or its related standards, the manager authorizing access will notify employee that it requires a Positions of Special Trust Acknowledgement Form to be completed. Managers needing assistance in determining whether a Positions of Special Trust Acknowledgement Form is required may contact OIS.
- Employee in Positions of Special Trust should review this policy, the acknowledgement form and other related resources.
- The manager/department will retain the form.
- The Positions of Special Trust Acknowledgement Form should be completed annually by employees designated as being in a Position of Special Trust.
- General procedures for Users in a Position of Special Trust
- Exercise special care in carrying out work so as to prevent errors that may be costly or adversely affect UTSA Users.
- Recognize and address the possibility of such errors, and follow all defined procedures with extra diligence.
- Use accounts with special privileges (e.g., System Administrators, Database Administrators, and Network Administrators) only for their intended administrative purposes.
- Make immediate supervisor aware of issues or process defects which should be addressed to minimize risks of disruption of information services or Data breach.
- "Immediately informs" - The user will inform management as soon as possible.
- The form can be found here.
Effective Date: September 11, 2015
Last Revised: October 26, 2016
Reviewed: August 4, 2017