Purpose
Privileged accounts, including super user accounts, are typically described as system accounts with authorization of a privileged user. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. This Privileged Access Management Policy defines the criteria for privileged account management.
Scope
This policy applies to the following Privileged Account types across on-premises, cloud, and hybrid infrastructure:
- Enterprise Admin Accounts – accounts that have administrative access to all OU domains.
- Domain Admin Accounts - accounts that provide admin privileges across all computers, servers, and other types of workstations within the network or domain.
- Domain Privileged User Accounts – accounts that provide admin privileges for systems and computers to specific individuals within an IT function. Privileged Accounts are identified by “IT” or “A” in the username.
- Service Accounts – accounts used by systems to authenticate to other systems or applications without any association to an individual.
- Local Admin Accounts – accounts used by IT and other personnel to maintain local computers, servers, and other types of workstations.
- Application Admin Accounts – accounts used to access underlying company information that resides in databases and applications.
Definitions
Information Technology and Security Definitions
Policy
It is the policy of OU that privileged access be managed with proper controls to mitigate the risk of malware infections, accidental errors, and service account compromises.
Procedures
Staff, Faculty, Students, Third Parties, or Contractors
All staff, faculty, students, third parties or contractors with administrator access on a university-owned device on the OU network must use operating system privilege elevation features.
- A user should be given only those privileges that are required to complete a task. OU IT will provide a user account to be used for day-to-day functions (e.g., internet browsing and e-mail).
- OU IT will provide a dedicated user account with local administrator permissions to be used when needed.
- Microsoft Windows users shall right-click and select RunAs to login with the dedicated administrator account, as needed to complete a task.
- Other users shall sudo or su programs, where appropriate, to login with the dedicated administrator account, as needed to complete a task.
- Accounts with privileged level access are not to be used to conduct day-to-day functions.
Account Management
- Create Privileged and Service Accounts in accordance with the least privilege requirements in the OU Identity and Access Management Policy.
- Follow the OU Password Policy.
- Maintain a list(s) of individuals who have privileged access. The list must be reviewed by a Data Owner in accordance with the OU Identity and Access Management Policy. At a minimum, this list must include the following attributes:
- Data Owner: a senior University administrator accountable for the quality and maintenance of one or more Authoritative Sources of data relied upon for key University operations.
- Data Steward: named by a Data Owner to develop and implement rules and procedures needed to ensure data and security policies set by the Data Owner are enforced.
- Asset Administrator: an individual with principal responsibility for: the installation, configuration, security, and ongoing maintenance of an asset (e.g., system administrator or network administrator). The Asset Administrator role is performed by University Personnel with a named Office of Information Technology or Departmental Information Technology job title.
- Purpose: indicates the specific university mission the privileged accounts supports (e.g., University Mission - Operations: Includes administrative and technical functions, University Mission - Teaching / Learning: Includes faculty; classroom and computer lab functions, University Mission - Research: Includes research functions, University Mission - Healthcare: Includes clinical and patient care functions.
- Privileges Assigned: indicates the roles or permissions granted to the account.
- Store Enterprise and Domain Administrator credentials in an OU IT Privileged Account Vault.
- Store Local Admin Account credentials in a user managed password vault.
- Store Domain Privileged User Accounts in a user managed password vault.
- Store Service Accounts in an OU IT Privileged Account Vault.
- Store Application Admin in a user managed password vault.
- Change the password for any shared administrator account under any of the following conditions:
- an individual, contractor, or vendor knowing the password leaves the department or completes their work.
- job duties change such that the individual no longer performs the functions requiring administrator access.
Least Privilege
The principle of least privilege is an important concept in computer security, promoting minimal user privileges on computers, based on users’ job duties. This helps reduce the “attack surface” of the computer by eliminating unnecessary privileges that can result in network exploits and computer compromises. The principle of least privilege can be applied by ordinarily operating without administrative rights. Asset Administrators must implement the principles of least privilege.
- Administrator privileges may only be granted through a dedicated privileged account that is not used on a day-to-day basis for reading email or web browsing.
- Deploy role-based access controls and group policies to prevent individuals from accessing information or services that are not required for the role.
- Access to scripting tools (e.g., PowerShell, command prompt, wscript, cscript, etc.) should be limited to authorized privileged accounts.
- Where possible, restrict access to administer devices by IP address (firewall access control lists, restrict by IP at the key level for SSH).
Separation of Duties
Separation of duties is one of the most basic ways to protect the integrity and security of OU data and IT Services. Separation of duties is both an IT best practice and an audit and control standard that reduces the risk of malicious or inadvertent breach of system security, data integrity, or the disruption of normal business processes. Asset Administrators must configure systems to support the separation of duties.
- Separate development, test, and production environments either logically or physically.
- Development and production software, where possible, must run on different systems.
- Users should use different passwords for production, test, and development systems.
- Accounts should be approved by the data owner and subsequently created by a separate, independent system security administrator.
- Access to system logs and system audits should be limited to system security analysts, and all such access should be reviewed by IT management.
- Access to firewalls and other network security systems should be limited to the network security analysts, and all such access should be reviewed by IT management.
Multi-Factor Authentication
OU IT and DIT must manage privileged access:
- Multi-Factor Authentication (MFA) is required. If MFA is not technically feasible, an approved IT Security Exception Request is required. Data Owners must review and approve exceptions and notify OU IT regarding changes to approved exceptions.
Privileged Access Logging
- Log the use of privileged accounts in accordance with the OU System Logging Policy. Examples of events to log include:
- The use of admin privileges (RunAs, sudo, etc.)
- Successful and failed admin login attempts or privilege escalation attempts
- Account lockout events
- Changes to privileged groups (e.g., addition a user to a privileged group)
- Actions of privileged account usage.
Compliance
The Office of Information Technology Governance, Risk, and Compliance (GRC) team, with assistance from Asset Administrators will verify compliance with this Policy by evaluating privileged access managing controls at least annually, and more often as needed.
References
- National Institute of Standards and Technology Cybersecurity Framework (CSF), PR.AC-4
- National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information: 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.13.3
- Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule §164.308(a)(3), §164.308(a)(4), §164.310(a)(2)(iii), §164.310(b), §164.312(a)(1), §164.312(a)(2)(i), §164.312(a)(2)(ii)
- National Institute of Standards and Technology Special Publication 800-53 Revision 5, Security and Privacy Controls for Federal Information Systems, AC-5, AC-6
- Payment Card Industry (PCI) Data Security Standards
- OU Identity and Access Management Policy
- OU Password Policy
- OU Data Governance Policy
- OU System Logging Policy
- National Institute of Standards and Technology Special Publication 800-63B
Revision, Review, and Approval History
- October 2023: OU IT Governance, Risk, and Compliance: Initial draft, opened for comments
- December 2023: Office of the Provost, Norman: Policy reviewed, comments submitted
- February 2024: OU IT Governance, Risk, and Compliance: Comment period closed
- February 2024: School of Computer Science: Policy reviewed, comments submitted
- February 2024: Institutional Research and Reporting: Policy reviewed, comments submitted
- February 2024: University Libraries: Policy reviewed, comments submitted
- March 2024: OU IT Governance, Risk, and Compliance: Added Least Privilege and Separation of Duties from Identity and Access Management Policy. Created policy sections.