Privilege Control

Use of Systems

1. Proper Use of Administrative Computing Resources and Data

   Purdue University computing resources and information are provided to support the University's administrative functions. Any use of these resources that interferes with these functions or does not respect the image and reputation of Purdue University is improper.

   In addition, the following specific actions and use of Purdue University information and resources are improper:

   • Use of these resources for commercial or private business purposes.
   • Activity which unreasonably interferes with or threatens other individuals.
   • Use of these resources in a manner that degrades or demeans other individuals.

   Audience: End User, Management, Technical

2. Approvals Required for User-ID Creation and Privilege Assignment

   User-IDs may be granted to specific users only when approved in advance by the user's immediate supervisor. Prior to being granted to users, business application system privileges must be approved by the involved information owner.

   Audience: Technical

3. Granting User-IDs to Non-Purdue Staff

   All contractors, consultants, or other non-employees, who must be granted a User-ID in order to fulfill a business obligation, must follow the same approval process as employees. However, access privileges will be allocated for at most one year, forcing annual renewal.

   Audience: Management, Technical

4. Termination of Information Systems Access Privileges

   All Purdue University computing systems privileges must be promptly terminated at the time that a worker ceases to provide services to Purdue University.

   Audience: End User, Management, Technical

5. Maintaining Access Privileges

   When a workers responsibilities change, their Purdue University computing system privileges must be adjusted as appropriate.

   Audience: End User, Management, Technical

6. Measures To Protect Information

   1. restrict or revoke any user's privileges; and
   2. take any other steps deemed necessary to manage and protect its information systems and data.

   Purdue University uses access controls and other security measures to protect the confidentiality, integrity, and availability of the information handled by computers and communications systems. In keeping with these objectives, management maintains the authority to:

   This authority may be exercised with or without notice to the involved users.

   Audience: End User, Management

7. Unauthorized Access To Administrative Computing Information Systems

   Workers using Purdue University computing systems are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, exploiting vulnerabilities or deficiencies, or disrupting the operations of these systems. Likewise, workers are prohibited from capturing or otherwise obtaining passwords, encryption keys, or any other access control mechanism, which could permit unauthorized access. All such vulnerabilities or deficiencies should be promptly reported to the Chief Information Security Officer.

   Audience: End User, Technical

8. Games on Administrative Computing Workstations

   Games may not be installed, stored, or downloaded for use on Purdue University computers and/or workstations. If the system configuration delivered by Customer Support or a Departmental Computing Zone includes games (i.e. Solitaire), workers may play these games on personal time.

   This policy is necessary because of the potential impact of computing resource availability and virus damage.

   Audience: End User, Management, Technical

   Information Driven Access Control

9. Where to Use Computer System Access Controls

   All computer-resident Purdue University information residing on multi-user systems must have system access controls to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable.

   Audience: Technical

10. All Software Must Be Regulated By Access Control Systems Software

    All software installed on Purdue University multi-user systems must be regulated by approved access control systems software. This means that a user's session must initially be controlled by the approved access control systems software (Ex. TOP SECRET). Appropriate permissions will result in control being passed to the software

    Audience: Management, Technical

11. Privilege Restriction Based on the Need-to-Know

    NOTE: This policy is still in development.

12. Specific Information Access Policies Must Be Prepared

    Management must establish specific written policies regarding the categories of people who will be granted permission to access various types of information. These policies must also specify limitations on the use of this information by those to whom access will be granted.

    Audience: Management, Technical

13. Information Stewards and Custodians Must Be Assigned

    Management must clearly specify in writing the assignment of stewardship and custodian responsibilities for databases, master files, systems, and other shared collections of information.

    Audience: Management, Technical

14. User Separation

15. User-to-User Separation of Activities and Data

    Management must define user privileges such that users cannot gain unauthorized access to, or otherwise interfere with, either the activities or the data of other users

    Audience: Management, Technical

16. Default File Permissions for Networked Systems

    File access control permissions for all Purdue University networked systems must be set to default to no access which blocks access by unauthorized users.

    Audience: Management, Technical

17. Existence of User Access Capabilities Does Not Imply Usage Permission

    Users must not read, modify, delete, or copy a file belonging to another user without first obtaining permission from the owner of the file. Even if general user access is clearly provided (ex. LAN exchange directory), the ability to read, modify, delete, or copy a file belonging to another user does not imply permission to perform these activities.

    Audience: End User

18. User-IDs Must Each Uniquely Identify a Single User

    Each computer and communication system User-ID must uniquely identify only one user. Shared or group User-IDs are not permitted. Exceptions to this policy must be approved by the Office of the Vice President for Information Technology (OVPIT) for the West Lafayette campus and IT Directors for regional campuses. An approved audit procedure is also required.

    Audience: Management, Technical, Management

19. Naming Standard for a Single User-ID Used on All Platforms

    Users of Purdue University computing systems will have only one computer system User-ID, no matter how many systems they access. System administrators must consistently observe the User-ID naming standard specified by ITaP unless advance permission from OVPIT has been granted.

    Audience: Technical

20. Special Privileges

21. Support for Special Privileged Type of Users

    All multi-user computer and network systems must support a special type of User-ID which has broadly-defined system privileges. This User-ID will in turn enable authorized individuals to change the security status of systems.

    Audience: Management, Technical

22. Restriction of Special System Privileges

    Special system privileges, such as the ability to examine the files of other users, must be restricted to those directly responsible for system and/or security administration. These privileges must be granted only to those individuals who have been identified as a systems and/or security administrator for a system.

    Audience: Management, Technical

23. Limited Number of Privileged User-IDs

    The number of privileged User-IDs must be strictly limited to those individuals who absolutely must have such privileges for authorized business purposes.

    Audience: Management, Technical

24. Two User-IDs Required for All Systems Administrators

    Multi-user systems administrators must have at least two User-ID's. One of these User-ID's must provide privileged access; the other must be a normal User-ID for the day-to-day work.

    Audience: Technical

25. Logging and Reporting on Privileged User-ID Activity

    All User-ID creation, deletion, and privilege change activity performed by systems administrators and others with privileged User-IDs must be securely logged and reflected in periodic management reports.

    Audience: Technical

26. Restriction of Third Party Privileges

    Third party vendors must only be given maintenance privileges to machines when the system manager determines that they have a legitimate business need. These privileges must be enabled only for the time period required to accomplish approved tasks.

    Audience: Technical

27. Other Privilege Restrictions

28. Dormant User-IDs and Automatic Privilege Revocation

    All User-IDs will have the associated privileges revoked after one year of inactivity.

    Audience: Management, Technical

29. Default to Denial of Access Control Privileges

    If a computer or network access control system is not functioning properly, it must default to denial of privileges to end-users.

    Audience: Management, Technical

30. End-User Access to Operating System Commands

    After logging-in, all end-users of multi-user systems must not be allowed to invoke operating system level commands. Where this approach is not practical, privileges must be restricted in such a way as to minimize the problems this may cause to the operating environment.

    Audience: Technical

31. Testing Information System Controls Prohibited

    Workers must not test, or attempt to compromise internal controls unless specifically approved in advance and in writing by the OVPIT

32. Controlled Process for Modification of Production Business Information

    Privileges must be established such that system users are not able to modify production data in an unrestricted manner. Users may only modify production data in predefined ways that preserve or enhance its integrity. In other words, users must be permitted to modify production data only when employing a controlled process/system approved by management.

    Audience: Technical

33. Modification of Production Business Information by Non-Production Staff

    System privileges must be defined so that non-production staff (internal auditors, information security administrators, programmers, computer operators, etc.) are not permitted to update production business information.

    Audience: Management, Technical

34. IT Staff Privileges

    Information Technology staff must not be given access to-or permitted to modify-production data, production programs, or the operating system beyond that which they need to do their jobs.

    Audience: Management, Technical

35. Administrative Activities

36. Periodic Review and Reauthorization of User Access Privileges

    Audience: Management, Technical

37. Signed Forms Required for Issuance of User-ID

    Users must sign both an Acknowledgement of Responsibility and an Information Security Policy Compliance Agreement prior to being given a User-ID allowing access to Purdue University computing systems.

    Audience: End User

38. Multi-Platform Systems Parameter Naming Conventions

    To achieve consistent access control across different types of computer systems, standard User-IDs, production program names, production file names, system names, and other naming conventions must be supported.

    Audience: Management, Technical

39. Administrative Security Management for All Networked Computers

    Configurations and set-up parameters on all networked computers participating in the Purdue University network must comply with Information Technology security management policies and standards.

    Audience: Technical

40. Maintenance of Master User-ID and Privilege Database

    So that their privileges may be expediently revoked on short notice, the need to maintain a record of the systems and privileges on which users have User-ID's must be kept up-to-date.

    Audience: Management, Technical

41. Transfer of Information After Employee Terminations/Transfer

    When a worker leaves or responsibilities change such that computing access is no longer required, both computer resident files and paper files must be promptly reviewed by his or her immediate supervisor to determine who should become the custodian of such files, and/or the appropriate methods to be used for file disposal. The supervisor must reassign the former computer user's duties and delegate responsibility for information in the former computer user's possession.

    Audience: End User, Management, Technical

42. Schedule for Deletion of Files After Employee Termination/Transfer

    Four weeks after notification that an employee's computing systems access is no longer required, all files held in that employee's directories will be purged. An employee's supervisor may request an exception by contacting Customer Support or their departments Computing Zone Manager.

    Audience: Management