Privileged Account Management Policy

I: Introduction

Privileged user accounts are those to which rights to perform system and/or application administration have been assigned. This policy defines the requirements surrounding the creation, use, monitoring, and decommissioning of privileged user accounts within the Franklin & Marshall data network.

Typical reasons for the use of a privileged account include:

  • The ability to function as Domain Administrator for the purposes of managing an Active Directory domain, including member servers, workstations, services, and applications.
  • The ability to function as a local server administrator in order to install and reconfigure software on servers and workstations;
  • The ability to log into routers, switches, firewalls, wireless access points and controllers, or other network or security devices in order to review or modify configurations, update firmware, or perform other administrative tasks.
  • The ability to perform backup and restore operations on behalf of other users, groups, or departments.
  • The ability to create, add, or remove users from Active Directory, LDAP, application-specific user databases, or other authentication systems.
  • The ability to lock or unlock user accounts, or change their passwords.

II: Account Provisioning

Elevated permissions may not be assigned to a user's’ primary account. A separate account must be created for each individual user who has a documented business need for elevated privileges. These accounts should be created with a standard naming convention which will serve to distinguish the account from a normal user account while at the same time clearly identifying the individual to which the account has been assigned.

III: Authorization

Authorization for the creation of a privileged account must be submitted in writing by the appropriate Data Owner and be approved by the Chief Information Officer and/or the Chief Information Security Officer. Each request for privileged access must include appropriate justification for the request, as well as an expiration date.

IV: Password Requirements

All privileged accounts must be secured with a strong, unique password which meets the password strength requirements outlined in the College’s Password Policy. Privileged Users are strictly prohibited from using the same password on their primary account and their privileged account. Periodic audits will be performed, and any privileged accounts which are found to have the same passwords as the user's primary account, or having an easily cracked password will be disabled

V: Multifactor Authentication Requirements

The use of privileged accounts from physical locations outside of the College’s data center and primary office wired network segments must be secured using multifactor authentication.  

--------
Policy Maintained by: Information Technology Services, Vice President and Chief Information Officer
Last Reviewed: 12 September 2017