- Acceptable Use Policy and User Agreement
- Cell Phone and other Personal Electronic Device Policy
- Chosen First Name Use Policy
- Data Classification Policy
- Guest User Acceptable Use Policy
- Mobile and Remote Device Policy
- Password Policy
- Personal Computing Support Policy
- Screening Movies on Campus Policy
- User Access to Data and Services Policy
- Backup Retention Policy
- Copyright & Fair Use Policy
- Cloud Vendor Policy
- F&M Account Content Access by Non-Account Holder Policy
- Information Security Policy
- Network Security Policy
- Payment Card Industry (PCI) Compliance Policy
- Privacy Notice for F&M Website
- Privileged Account Management Policy
- Technology Hardware Acquisition, Disposition and Replacement Policy
- Wireless Network Policy
Privileged user accounts are those to which rights to perform system and/or application administration have been assigned. This policy defines the requirements surrounding the creation, use, monitoring, and decommissioning of privileged user accounts within the Franklin & Marshall data network.
Typical reasons for the use of a privileged account include:
- The ability to function as Domain Administrator for the purposes of managing an Active Directory domain, including member servers, workstations, services, and applications.
- The ability to function as a local server administrator in order to install and reconfigure software on servers and workstations;
- The ability to log into routers, switches, firewalls, wireless access points and controllers, or other network or security devices in order to review or modify configurations, update firmware, or perform other administrative tasks.
- The ability to perform backup and restore operations on behalf of other users, groups, or departments.
- The ability to create, add, or remove users from Active Directory, LDAP, application-specific user databases, or other authentication systems.
- The ability to lock or unlock user accounts, or change their passwords.
II: Account Provisioning
Elevated permissions may not be assigned to a user's’ primary account. A separate account must be created for each individual user who has a documented business need for elevated privileges. These accounts should be created with a standard naming convention which will serve to distinguish the account from a normal user account while at the same time clearly identifying the individual to which the account has been assigned.
Authorization for the creation of a privileged account must be submitted in writing by the appropriate Data Owner and be approved by the Chief Information Officer and/or the Chief Information Security Officer. Each request for privileged access must include appropriate justification for the request, as well as an expiration date.
IV: Password Requirements
All privileged accounts must be secured with a strong, unique password which meets the password strength requirements outlined in the College’s Password Policy. Privileged Users are strictly prohibited from using the same password on their primary account and their privileged account. Periodic audits will be performed, and any privileged accounts which are found to have the same passwords as the user's primary account, or having an easily cracked password will be disabled
V: Multifactor Authentication Requirements
The use of privileged accounts from physical locations outside of the College’s data center and primary office wired network segments must be secured using multifactor authentication.
Policy Maintained by: Information Technology Services, Vice President and Chief Information Officer
Last Reviewed: 03 September 2019