Acceptable Use for System Administrators Policy

This document establishes the Acceptable Use for System Administrators Policy for the University of Arizona. This policy establishes requirements and provides guidance to System Administrators for the ethical and acceptable use of their administrative access.

This policy applies to all Information Systems and Information Resources owned or operated by or on behalf of the University. All University-Related Persons with access to University Information or computers and systems operated or maintained on behalf of the University are responsible for adhering to this policy.

CISO: The senior-level University employee with the title of Chief Information Security Officer.

Elevated Access: A level of access that is authorized to perform functions that ordinary Users are not authorized to perform.

Information Owner: The individual(s) or Unit with operational authority for specified University Information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. This individual or Unit is responsible for making risk tolerance decisions related to such Information on behalf of the University and is responsible for any loss associated with a realized information security risk scenario.

Information Resources: University Information and related resources, such as equipment, devices, software, and other information technology.

Information System: A major application or general support system for storing, processing, or transmitting University Information. An Information System may contain multiple subsystems. Subsystems typically fall under the same management authority as the parent Information System. Additionally, an Information System and its constituent subsystems generally have the same function or mission objective, essentially the same operating characteristics, the same security needs, and reside in the same general operating environment.

Information System Owner: The individual(s) or Unit responsible for the overall procurement, development, integration, modification, and operation and maintenance of an Information System. This individual or Unit is responsible for making risk tolerance decisions related to such Information Systems on behalf of the University and is organizationally responsible for the loss, limited by the bounds of the Information System, associated with a realized information security risk scenario.

ISO: The University's Information Security Office, responsible for coordinating the development and dissemination of information security policies, standards, and guidelines for the University.

System Administrator: A User with a level of access above that of a normal User, or supervisory responsibility for, Information Systems and Information Resources. Examples of System Administrators include, but are not limited to, a Database Administrator, a Network Administrator, a Central Administrator, a superuser, or any other privileged User.Unit: A college, department, school, program, research center, business service center, or other operating Unit of the University.

University Information: Any communication or representation of knowledge, such as facts, data, or opinions, recorded in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual, owned or controlled by or on behalf of the University.

University-Related Persons: University students and applicants for admission, University employees and applicants for employment, Designated Campus Colleagues (DCCs), alumni, retirees, temporary employees of agencies who are assigned to work for the University, and third-party contractors engaged by the University and their agents and employees.

User: Individual or group that interacts with a system or benefits from a system during its utilization.

System Administrators manage, configure, and monitor the University’s Information Resources. In doing so, they are responsible for activity originating from their accounts. This policy establishes requirements for acceptable use of Elevated Access for System Administrators.

Each Unit that is (or has an employee who is) either an Information Owner or Information System Owner must have documented procedures for approving Elevated Access for System Administrators. The procedures should allow for risk-informed decisions regarding when to grant or deny such access. When Elevated Access is given to Information Systems that store, process, or transmit Regulated Information, as defined in the Data Classification and Handling Standard, the procedures must at least meet relevant minimum regulatory requirements, as established or communicated by the University office designated as responsible for enforcement of the relevant information security or privacy obligation.

When a System Administrator’s role or job responsibilities change, their Elevated Access must be evaluated and, if necessary, updated or removed according to Unit procedures.

Each System Administrator must:

• Restrict their use of accounts with Elevated Access to only official University business consistent with the System Administrator’s University role, job responsibilities, and the purpose for which the access was granted. The permissible use of Information Systems for incidental personal purposes (as reflected in the Acceptable Use of Computers and Networks Policy) does not extend to a System Administrator’s use of this Elevated Access. System Administrators may not use their Elevated Access for any purposes outside of the scope for which such Elevated Access was granted.
• Never use Elevated Access to satisfy personal curiosity.

• Never expose or otherwise disclose information obtained through Elevated Access to unauthorized persons.

• Ensure that default passwords are changed using strong password methodologies when an Information System is installed or implemented.
• Never share personal login credentials (including passwords) that have been provisioned with, or accessed using, Elevated Access with anyone, including other System Administrators.
• Never gain or provide unauthorized access to an Information System. System Administrators must never give themselves or another User access to Information Systems that they have not been formally authorized to administer.
• Take steps to ensure adherence to and compliance with all signed and authorized hardware and software license agreements entered into by the University.
• In fulfilling the responsibilities that accompany the granting of Elevated Access, take all reasonable measures to protect the confidentiality, integrity, and availability of Information Resources.
• For those System Administrators responsible for secure architecture design, ensure that each individual or Unit is granted the minimum system resources and authorization that such individual or Unit needs to perform its function.

Compliance

Tracking, Measuring, and Reporting

ISO shall initiate mechanisms for tracking compliance with this policy and shall produce reports representing these measures to support University decision making.

Recourse for Noncompliance

ISO is authorized to limit network access for individuals or Units not in compliance with information security policies (including this one) and related procedures. In cases where University resources are actively threatened, the CISO shall act in the best interest of the University by securing the resources in a manner consistent with the Information Security Incident Response Plan. In an urgent situation requiring immediate action, the CISO is authorized to disconnect affected individuals or Units from the network. In cases of noncompliance with this policy, the University may apply appropriate employee sanctions or administrative actions, in accordance with relevant administrative, academic, and employment policies. 

Exceptions

Requests for exceptions to information security policies (including this one) may be granted for Information Systems with compensating controls in place to mitigate risk. Any requests must be submitted to the CISO for review and approval pursuant to the exception procedures published by the CISO.

Frequency of Policy Review

The CISO shall review information security policies and procedures annually, at minimum. This policy is subject to revision based upon findings of these reviews.

Responsibilities

University-Related Persons

All University-Related Persons are responsible for complying with this policy and, where appropriate, supporting and participating in processes related to compliance with this policy.

Information Owners and Information System Owners

Information Owners and Information System Owners are responsible for implementing processes and procedures designed to provide assurance of compliance with the minimum standards, as defined by ISO, and for enabling and participating in validation efforts, as appropriate.

Chief Information Security Officer

ISO shall, at the direction of the CISO:

• identify solutions that enable consistency in compliance and aggregate and report on available compliance metrics;
• develop, establish, maintain, and enforce information security policy and relevant standards and processes;
• provide oversight of information security governance processes;
• educate the University community about individual and organizational information security responsibilities;
• measure and report on the effectiveness of University information security efforts; and
• delegate individual responsibilities and authorities specified in this policy or associated standards and procedures, as necessary.

Vice Presidents, Deans, Directors, Department Heads, and Heads of Centers

All Vice Presidents, Deans, Directors, Department Heads, and Heads of Centers shall take appropriate actions to comply with information technology and security policies. These individuals have ultimate responsibility for University resources, for the support and implementation of this policy within their respective Units, and, when requested, for reporting on policy compliance to ISO. While specific responsibilities and authorities noted herein may be delegated, this overall responsibility may not be delegated.