|
------- INDEX AND GLOSSARY. DO NOT CHANGE OR DELETE! ----------
Open IT Policy Index
-
Acceptable Use, Administrative or Special Access (Policy)
-
Acceptable Use, Email (Policy)
-
Acceptable Use, Internet (Policy)
-
Acceptable Use, Virtual Private Network (VPN) (Policy)
-
Access Controls, Account (Policy)
-
Account Management (Policy)
-
Change Management (Policy)
-
Computer Virus Prevention (Policy)
-
Contingency Planning (Policy)
-
Data Backup and Storage (Policy)
-
Data Marking, Handling, Processing, Storage, and Disposal (Policy)
-
Deferral of System Security Certification or Accreditation, Annual (Form)
-
General Information Security Management (Procedure)
-
Green Computing (Policy)
-
Incident Response (Policy)
-
Intrusion Detection (Policy)
-
Logging and Audit Trails (Policy)
-
Mobile Computing and Network Access (Policy)
-
Network Access (Policy)
-
Network Access Controls (Standard)
-
Network Configuration (Policy)
-
Network Data Privacy (Policy)
-
Password Management (Policy)
-
Personnel Security (Policy)
-
Physical Security (Policy)
-
Policy Application Checklist (Administrative Utility)
-
Secure Media and Data Handling (Procedure)
-
Secure Software Development Lifecycle (Standard)
-
Social Computing and Networking (Policy)
-
Software and Hardware Security Controls (Policy)
-
Spam and Unsolicited Commercial Email Prohibition (Policy)
-
System Security Certification/Accreditation, Annual (Form)
-
System Security Certification/Accreditation, Annual (Policy)
-
Telecommuting Agreement, Employee (Form)
-------------------------------------------------------------------------------------------------
Overview and Purpose
Technical support staff, security administrators, system administrators and others may have special access account privilege requirements compared to typical or everyday users. The fact that these administrative and special access accounts have a higher level of access means that granting, controlling and monitoring these accounts is extremely important to an overall security program.
The purpose of the [variable: Covered Organization] Acceptable Use—-Administrative or Special Access Policy is to establish the rules for the creation, use, monitoring,
control and removal of accounts with special access privilege.
Coverage
All individuals who have or may require special-access privilege to any [variable: Covered Organization]
Information Resources.
Definitions
General Terminology
Roles and Functions
Policy
-
[variable: Covered Organization] departments must submit to IS a list of administrative contacts for their systems that are connected to the [variable: Covered Organization] network
-
All users must sign an [variable: Covered Organization] Agreement to Protect Sensitive Data (Form) before account access is enabled.
-
All users of Administrative/Special access accounts must have account management instructions, documentation, training, and authorization.
-
Each individual that uses Administrative/Special access accounts must refrain from abuse of privilege and must only do investigations under the direction of the ISO.
-
Each individual that uses Administrative/Special access accounts must use the account privilege most appropriate with work being performed (e.g.., user account vs. administrator account).
-
Each account used for administrative/special access must meet the [variable: Covered Organization] Password Policy.
-
The password for a shared administrator/special access account must change when an individual with the password leaves the department or [variable: Covered Organization], or upon a change in the
vendor personnel assigned to the [variable: Covered Organization] contract.
-
In cases where a system has only one administrator, a password escrow procedure must ensure that someone other than the administrator can gain access to the administrator account in an emergency situation.
-
When Special Access accounts are needed for Internal or External Audit, software development, software installation, or other defined need, they:
-
Must be authorized
-
Must be created with a specific expiration date
-
Must be removed when work is complete
Enforcement
Violation of this policy may result in disciplinary action, including termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [variable: Covered Organization]
Information Resources access privileges, civil, and criminal prosecution.
Supporting Documentation
This policy is supported by the following rules, standards, and procedures:
-
[variable: internal documents (with links, if available)]
-
[variable: external documents (with links, if available)]
Policy Support Contact
-
[variable: title (not personal name) of role responsible for overseeing this procedure]
-
[variable: Contact information of office responsible for overseeing this procedure]
Policy Publication Date
[variable: Policy publication date]
Revision(s)
-
[variable: Policy revision date]
References
-
Copyright Act of 1976
-
Foreign Corrupt Practices Act of 1977
-
Computer Fraud and Abuse Act of 1986
-
Computer Security Act of 1987
-
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Policy Model(s)
|
Open IT Policy Project 
