Search Information Security site

 

Procedures for Granting and Restricting Elevated Workstation Privileges (CIO-P001)

The full-text version (for download) of these procedures can be accessed here: CIO-P001  Procedures for Granting and Restricting Elevated Workstation Privileges.

Table of Contents

1. Purpose
2. Scope
3. Procedures
    a) Granting of Workstation Privileges
    b) User Privileges
    c) Temporary Elevated Privileges
    d) Elevated Privileges
    e) Related Information
4. Definition of Terms

1. Purpose

To provide interim guidance for granting and restricting user privileges and implementing compensating controls for university-owned workstations until this guidance is incorporated into IT security policies, standards, and guidelines.

[Return to Table of Contents]

2. Scope

These procedures cover university-owned workstations and do not cover personally-owned workstations.

This is in a compliance period until March 1st, 2018 to allow schools and organizations at UVA an opportunity to implement the guidance across a wide range of machines with a variety of users so we can discover any issues with implementation and determine what adjustments need to be made to the guidance prior to incorporation into IT security policies, standards, and guidelines.

The procedures outlined in this document represent operational best practices and standardized approaches to help ensure that university-owned workstations accessing University data take adequate measures to ensure the protection of University data and the security of the University network and other resources.

Individuals are still responsible for ensuring they comply with University Policies regarding data storage, protection, and security (see “Related Information” section).

[Return to Table of Contents]

3. Procedures and Responsibilities

Granting of Workstation Privileges

In general, Workstation Managers will set privileges on a workstation for a specific user based on the highest level of sensitivity of the data that user will need to access from that workstation to perform their duties.

If a workstation will be used to access highly sensitive data, that workstation must have a full malware scan before being configured to allow access to that data.

Before granting users access to highly sensitive data, the user’s supervisor or manager must ensure the user has completed required security awareness training in accordance with Information Security, Policy, and Records Office (ISPRO) guidance.

Users are responsible for ensuring they protect University data in accordance with current University Data Protection Standards.

In general, any increased risk assumed by granting increased privileges must be offset by adding compensating controls or holding users to a higher level of accountability for their actions.  The level of compensating controls must be based on the sensitivity of the data that will be accessed from a particular workstation:

For data that is “not sensitive,” additional compensating controls beyond baseline security measures could be minimal or non-existent

For data that is “moderately sensitive,” compensating controls must be practical and balanced between ease of use and protection of the information

For data that is “highly sensitive,” compensating controls must provide the highest level of protection for the information possible that will still allow users to accomplish their required duties

Below are procedures Workstation Managers must follow when determining the appropriate level of access to provide a given user on a given workstation.  Note that these procedures are not a replacement for sound judgment.

See Table 1 below for a quick overview of workstation privileges.  Details are contained in the text following the table.

Minimum-Security Workstation.
Must only access data that is not sensitive

Workstation Privileges

Approval Level

Endpoint Security Software

User Privileges

Not Applicable

None required in addition to baseline

Temporary Elevated Privileges (Default)

None required

None required in addition to baseline

Elevated Privileges

Workstation Manager

Consider (None required)

 

Medium-Security Workstation.

Must only access data that is moderately sensitive or not sensitive

Workstation Privileges

Approval Level

Endpoint Security Software

User Privileges

Not Applicable

None required in addition to baseline

Temporary Elevated Privileges (Default)

None required

None required in addition to baseline

Elevated Privileges

Supervisor & Data Security Lead

Consider (None required)

 

High-Security Workstation.

May access data that is highly sensitive.

Workstation Privileges

Approval Level

Endpoint Security Software

User Privileges (Default)

Not Applicable

In monitoring mode (logging)

Temporary Elevated Privileges

Supervisor and Data Security Lead

With Practical Security Settings (click through)

Elevated Privileges

Data Security Lead and VP/Dean or their Designee

With Highest Practical Security Settings (whitelisting)

 

Table 1:

User Privileges

If users are working with highly sensitive data, Workstation Managers must assign User Privileges as the default level of privilege and install endpoint security software in monitoring mode (as a minimum).  Only those user privileges strictly necessary for users to perform their intended duties must be assigned.

User privileges must also be considered in cases where users are able to perform their assigned duties without the need for higher privileges or for workstations that are available for general use (such as those in classrooms or common areas).

Temporary Elevated Privileges

Temporary Elevated Privileges includes:

- Providing users with two accounts, one with user privileges for day-to-day use, and one with elevated privileges for infrequent use when required.  Workstation Managers must consider blocking direct access to the account with elevated privileges if doing so will allow users to perform their required duties; this will require the user to use some form of user access control from within the account with user privileges.

- Providing users with a one-time password that allows them temporary elevated privileges

- Installing a tool on the workstation that provides the user with elevated privileges for specific applications.

Workstation Managers must assign Temporary Elevated Privileges as the default level of privilege for university workstations unless that workstation will be used to access highly sensitive dataWorkstation Managers must consider assigning user privileges  in cases where users are able to perform their assigned duties without the need for higher privileges or for workstations that are available for general use (such as those in classrooms or common areas).

If users require temporary elevated privileges on workstations that will access highly sensitive data, the user must obtain written permission from their supervisor and data security lead prior to being granted the access.  This written permission must be reviewed and validated annually. Before granting the privileges, Workstation Managers must install endpoint security software on the workstation with practical security settings (as a minimum).

If the user has two accounts (one with user privileges and one with elevated privileges), users should normally access highly sensitive data only when logged in to an account with user privileges and only log in to the account with elevated privileges when absolutely required.

Elevated Privileges

Whenever elevated privileges are assigned, Workstation Managers must consider whether additional protective measures should be taken such as installing endpoint security software with appropriate security settings.

Workstation Managers may provide elevated privileges upon request for workstations that will only access not sensitive data.

If a user requires elevated privileges on a workstation they will be using to access moderately sensitive data, the Workstation Manager may grant them privileges as long as the user has obtained written permission from their supervisor and data security lead.  This written permission must be reviewed and validated annually.

If a user requires elevated privileges but will need to access highly sensitive data on the workstation, they must first get written permission from their data security lead as well as their dean or assistant vice president equivalent or their designee.  This permission may be granted on an individual basis or on a departmental basis by job title or description of duties.  Written permission must be reviewed and validated annually. If elevated privileges are granted on a workstation that will access highly sensitive data, the Workstation Manager must ensure that strong compensating controls are put in place, such as installing endpoint security software on the workstation with the highest practical security settings.

Related Information

Exceptions to these standard operating procedures must be approved at the approval level documented in Table 1.

[Return to Table of Contents]

4. Definition of Terms

Baseline Security Measures: Standard security controls that must be in place on all University-owned computing devices to ensure they are in compliance with University Policies. These include, but are not limited to, anti-virus software, password protection, and regular software updates.

Compensating Controls: Additional protective controls, beyond baseline security measures, put in place on a workstation to offset a specific increase in data security risk.

Data Security Lead: The person designated by the VP or Dean to provide oversight of data security for the organization.  If no individual is designated, the person responsible for providing oversight of IT for the organization will fulfill this role.

Elevated Privileges: A level of permission that allows the user to install software and change configuration settings on a workstation (also known as administrator or admin privileges)

Endpoint Security Software: System settings or software installed on a workstation in addition to baseline security measures to provide compensating controls in one or more of the following three modes to offset the risk assumed by granting increased privileges:

  • Monitoring Mode: Logs user activity such as installing software
  • Practical Security Settings: Requires user to verify software installs before proceeding. This activity must be logged in a location the user would not be able to alter
  • Highest Practical Security Settings: Requires that any installed software be added to a “whitelist” of allowed software by an Workstation Manager before allowing it to be installed

University Highly Sensitive Data: Data that is considered “highly sensitive” based on guidance in the University of Virginia’s Administrative Data Access Policy and University Data Protection Standards.  Note that this does NOT include a users’ own sensitive data that may be present on their workstation.  See IRM-015 for guidance on the electronic storage of highly sensitive data. 

Moderately Sensitive Data: Data that is considered “moderately sensitive” based on guidance in the University of Virginia’s Administrative Data Access Policy and University Data Protection Standards.

Not Sensitive Data: Data that is considered “not sensitive” based on guidance in the University of Virginia’s Administrative Data Access Policy and University Data Protection Standards.

Temporary Elevated Privileges: A control that limits an individual from having full elevated privileges during normal, day-to-day use. 

User: A person who uses or operates a workstation.

User Privileges: A level of permission that allows users to access specific resources on the workstation and network, such as data files, applications, printers and scanners.

Workstation: A desktop computer terminal or laptop intended for business or professional use

Workstation Manager: A highly-skilled IT professional responsible for the upkeep, configuration, and reliable operation of a workstation such as a Local Support Partner (LSP) or Desktop Support Technician. 

[Return to Table of Contents]

 

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form