RPA Guidelines

I. INTRODUCTION

The use of robtic process automation may introduce security challenges and the University must manage how theses procceses are developed. These guidelines identify the procedures and responsibilities in the creation, development, and managment of RPA.

II. Guidelines

RPA Account Guidelines 

• Robot accounts should be named with an indicator that begins with RPA followed by up to five additional characters identified by the RPA Center. The RPA Center will need to maintain an inventory of all RPA accounts.
• Robotic accounts should be in different OUs than interactive user accounts as possible.
• Each robot should have a separate account and an account should not be shared between robots.
• Passwords for RPA accounts should exceed the length of characters of the standard S-16 (16 character maximum).
• RPA accounts should follow the principal of least privilege access when accessing machines or applications.
• RPA accounts that do not utilize MFA must change passwords every 90 days. All passwords for RPA accounts must be stored in a secure location and changed immediately upon personnel changes.
• As feasible Restrict robot accounts to only login to those machines or applications required to perform bot functions.

  Evaluation criteria:

  Prior to setup identify what the account will login to. If machine, limit login access to necessary machine(s). If application limit machine login and follow least privilege application access of the account.

RPA Development Guidelines

In addition to these development guidelines ensure all University and RPA standards, guidelines, and policies are being followed.

• reCAPTCHA, rate limit, and input validation must be used for user interactive robots.
• Ensure RPA logging to a separate system where the logs are stored securely and are forensically sound.
• A robot is assigned a unique key identifier referenceable in inventory.
• Code should be developed in collaboration with or reviewed by a second developer prior to implementation.
• Version Control should be implemented when making any changes to code or functionality.
• Avoid creating bots and automation processes with hardcoded authentication or authorization.
• Reuse code or scripts as much as possible to avoid unique security risks in bots.
• Use a standard naming structure when creating robots and automation processes.
• Ensure any framework that is being used in development is secure and updated.

III. Related Documents