Document Title: System Administrator Policy



Similar documents
Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Vulnerability Management Policy

Policy on Privileged Access

Information Technology &

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

CREDIT CARD PROCESSING & SECURITY POLICY

Information Technology Acceptable Use Policy

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

DEPARTMENTAL POLICY. Northwestern Memorial Hospital

Information Resources Security Guidelines

University of Maryland Baltimore Information Technology Acceptable Use Policy

Appendix A: Rules of Behavior for VA Employees

DHHS Information Technology (IT) Access Control Standard

Network Security Policy

Data Security Incident Response Plan. [Insert Organization Name]

Information Security Policy

Marist College. Information Security Policy

IT Security Standard: Computing Devices

Wright State University Information Security

NORTHEAST COMMUNITY COLLEGE ADMINISTRATIVE PROCEDURE NUMBER: AP FOR POLICY NUMBER: BP 5250 ACCEPTABLE USE PROCEDURES ELECTRONIC RESOURCES

SPRINGFIELD PUBLIC SCHOOLS Springfield, New Jersey 07081

Appendix I. The City University of New York Policy on Acceptable Use of Computer Resources

USE OF INFORMATION TECHNOLOGY FACILITIES

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

MEDWAY PUBLIC SCHOOLS Medway, MA. Acceptable Use Policy for School Network, Internet, and Equipment Grades 7-12

Information Security Program

Virginia Commonwealth University School of Medicine Information Security Standard

Niagara County Community College

Standard: Information Security Incident Management

BLOOMFIELD COLLEGE ACCEPTABLE USE POLICY

Information Security Program Management Standard

Information Technology Cyber Security Policy

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

COMPLIANCE ALERT 10-12

Bates Technical College. Information Technology Acceptable Use Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

CONSOLIDATED RECORDS MANAGEMENT SYSTEM (CRMS) USER AGREEMENT

DATA ACCESS POLICY. Attached is a policy statement regarding data access at the New Jersey Institute of Technology.

Office of Inspector General

Odessa College Use of Computer Resources Policy Policy Date: November 2010

Policy on the Security of Informational Assets

POLICIES AND REGULATIONS Policy #78

The Design Society. Information Security Policy

How To Protect Research Data From Being Compromised

Account Management Standards

Acceptable Use of Computing and Information Technology Resources

How To Protect Decd Information From Harm

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

13. Acceptable Use Policy

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Internet Acceptable Use Policy

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

Caldwell Community College and Technical Institute

Norwich University Information Assurance Security Policy. Final Version 10.0 for Implementation

Miami University. Payment Card Data Security Policy

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Riverside Community College District Policy No Human Resources

New River Community College. Information Technology Policy and Procedure Manual

Evergreen Solar, Inc. Code of Business Conduct and Ethics

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Internet Acceptable Use and Software Installation Policy

Responsible Use of Technology and Information Resources

Information Security Operational Procedures Banner Student Information System Security Policy

Information Security Operational Procedures

III. RESPONSIBILITIES

Information Security and Electronic Communications Acceptable Use Policy (AUP)

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

R345, Information Technology Resource Security 1

Lutheran Education Association of Houston Acceptable Use Policy (Students)

Cal Poly Information Security Program

Data Protection Breach Management Policy

Access Control Policy

COMPUTER AND NETWORK USAGE POLICY

Mental Health Resources, Inc. Mental Health Resources, Inc. Corporate Compliance Plan Corporate Compliance Plan

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

`DEPARTMENT OF VETERANS AFFAIRS VA SOUTHEAST NETWORK Automated Information System User Access Notice

Boston Public Schools. Guidelines for Implementation of Acceptable Use Policy for Digital Information, Communication, and. Technology Resources

RUTGERS POLICY. Policy Name: Standards for Privacy of Individually Identifiable Health Information

APHIS INTERNET USE AND SECURITY POLICY

IT04 UO ACH Security Policy

2.5.1 Policy on Responsible Use of University Computing Resources Introduction This policy governs the proper use and management of all University of

ADMINISTRATIVE REQUIREMENTS OF HIPAA

How To Use A College Computer System Safely

Computing Privileges. Policy: Scope. Policy

Computer Security Incident Reporting and Response Policy

SUPPLIER SECURITY STANDARD

Information Security Policy

MEMORANDUM INFORMATION TECHNOLOGY SERVICES DEPARTMENT

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

POLICY TITLE: Computer and Network Service POLICY NO: 698 PAGE 1 of 6

Appropriate Use of Campus Computing and Network Resources

SUBJECT: INFORMATION TECHNOLOGY RESOURCES I. PURPOSE

Transcription:

Document Title: System REVISION HISTORY Effective Date:15-Nov-2015 Page 1 of 5 Revision No. Revision Date Author Description of Changes 01 15-Oct-2015 Terry Butcher Populate into Standard Template Updated to reflect current practices APPROVED BY This Policy is established for Policies pertaining to information technology by the approval signatures below. Name Title Signature Date Steve Cawley Timothy Ramsay Vice President, Information Technology and CIO SIGNATURE ON FILE 15 Oct 2015 Associate Vice President, Chief Information Security Officer SIGNATURE ON FILE 15 Oct 2015

Document Title: System Effective Date:15-Nov-2015 Page 2 of 5 PURPOSE: Information Security exists to further the mission of the University. The University is comprised of large and diverse populations with evolving needs related to information technology resources and data. University management is committed to safeguarding those resources while protecting and promoting academic freedom. Although intrinsic tension exists between the free exchange of ideas and information security, and can manifest itself in some circumstances, the requirements that follow have been identified to promote the best balance possible between information security and academic freedom. The purpose of this document is to establish guidelines for individuals who perform system administration duties on University of Miami (UM) information technology resources. SCOPE: This document applies to all University Member/Affiliates who are granted System Administrator access or an elevated privileged account to any UM managed service, application or server. For purposes of this document, System Administrator, Network/Systems Administrator, Security Administrator, Email Administrator and any individual with elevated privileged access to a University information technology resource, are collectively referred to as System Adminstrator. DEFINITIONS: Administrative Unit: Any school, department, division, office, or person that provides or facilitates computing, telecommunications or network services to the members of the University of Miami community. Network/Systems Administrator: A person who configures network and server hardware and the operating systems running on them in order to ensure that the information accessible through UM managed information technology systems will be available when needed. Security Administrator: A person who manages user access, request process and ensures that privileges are provided to those individuals who have been authorized access to a UM information technology resource. System Administrator: A person who manages the technical aspects of an information system and provides effective information system utilization, adequate security parameters and sound implementation. A system administrator includes any University Member/Affiliate with privileged account access that is above a normal user. University Member/Affiliate: Employees, faculty, students, volunteers, trainees, contractors and other entities or persons who perform work for or on behalf of UM. Privileged Accounts: A system user granted elevated privileged access with the ability to establish or modify application system policies, perform system administrative tasks and make global changes which can impact entire systems or processes.

Document Title: System Effective Date:15-Nov-2015 Page 3 of 5 POLICY: It is the responsibility of the System Administrator to follow the guidelines of their administrative unit as well as all pertinent University of Miami policies, licensing agreements with software manufacturers, and local, state and federal regulations. Individuals with privileged access rights to UM information resources are entrusted to use such access in an accountable, professional and secure manner which is consistent with designated job responsibilities. RESPONSIBILITIES: As part of normal business practices, System Administrators are held to the highest standard of behavior and ethics as they have the responsibility and trustworthiness to maintain system integrity, reliability and availability. The responsibilities for individuals who configure and manage services and systems are: Documentation System documentation, inventory and operational procedures will be developed and maintained current. Applicable change control procedures will be followed. Security Technical security controls will be implemented in order to mitigate risk, maintain stable operations, and comply with applicable regulations. Technical security controls will include but are not limited to: Applying operating system, service and application patches, hot fixes, updates and new releases as necessary Maintaining systems and servers with the minimum services, applications and open TCP/UDP ports required in order to mitigate exploitation of the system. Implementing encryption requirements for data classified as sensitive or protected. Notifying UMIT Security Team of suspected incidents and assist in the investigation and remediation of incidents as needed. The use of a privileged access account is for system administration functions only. A privileged access account or system administrator account may not be used when performing normal user activities. Changing default passwords of root and admin accounts. Enabling operating system, service and application logging. Taking precautions against theft or damage to the system components. User Accounts The creation of user accounts will be approved by the business owner, documented, controlled on the basis of least privilege and need to know.. Ongoing user administration will be managed effectively and efficiently. User accounts will be disabled after a designated number of consecutive days of inactivity. The disabling of inactive user accounts will be determined by the

Document Title: System Effective Date:15-Nov-2015 Page 4 of 5 administrative unit and will be based on business needs and applicable regulatory compliance requirements. A decision not to disable accounts for unlimited days of inactivity must be documented. Professionalism Services and systems will be configured to fulfill the needs of the University. Working with users, vendors, consultants, upper management and other system administrators requires patience and care to maintain a level of respect. At times, this will include cooperating with fellow colleagues with the implementation or upgrade of services or applying corrective and protective actions. Privacy and Ethics Individuals with privileged access will take necessary precautions to protect the confidentiality of information encountered in the performance of their duties. Good faith efforts will be taken to obtain account owner consent before accessing files or interfering with their processes. If during the performance of duties, information indicating inappropriate use is discovered, UMIT security will be consulted. EXCEPTIONS: Any requests for exceptions to this policy must be submitted in writing and will be reviewed on a case by case basis. Exceptions shall be permitted only after written approval from the Vice President of or designee. This list of exceptions shall be reviewed periodically as per the exception approval, and cancelled as required. IMPLEMENTATION: Chief Information Security Office: Responsible for regular review of this Policy. The review will occur annually or when significant changes occur. Responsible Vice President or CIO: Responsible for reviewing and approving or denying exception requests Responsible for reviewing exceptions yearly Responsible for monitoring the enforcement of the policy System Administrator: Responsible for following policy requirements as required by their role. SANCTIONS: Accounts and network access may be administratively suspended with or without notice by the University as per existing University regulations, Faculty manual where applicable, and due process, when, in the University's judgment, continued use of the University's resources may interfere with the work of others, place the University or others at risk, or violate University policy.

Document Title: System Effective Date:15-Nov-2015 Page 5 of 5 Known violations of the policy will be addressed by disciplinary policies and procedures applicable to the individual. All such allegations of misuse will be investigated by the appropriate University administrative office with the assistance of the Department of and the Department of Human Resources. Penalties may include: Suspension or termination of access to computer and/or network resources; Suspension or termination of employment, to the extent authorized by other university published policies and procedures; Suspension or termination of contract computer and/or network services; or Criminal and/or civil prosecution. ENFORCEMENT: Chief Information Security Officer (CISO) or designee is responsible for monitoring the enforcement of the policy. OTHER APPLICABLE POLICIES: A110 Data Classification Policy POL-UMIT-A170-013-01 Malicious Software Prevention Policy POL-UMIT-A130-004-01 Access Control and User Account Management Policy POL-UMIT-A175-014-01 Electronic Data Protection and Encryption Policy POL-UMIT-A131-005-03 Password Security Policy

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information