Superseded by Administrative Privileges on University Endpoints Procedure
Table of Contents
1. Purpose and Background
2. Standards
a) Granting of Workstation Privileges
b) User Privileges
c) Temporary Elevated Privileges
d) Elevated Privileges
e) Related Information
3. Definitions
4. Related Links
5. Exceptions
1. Purpose and Background
The purpose of this standard is to provide guidance for workstation owners and overseers responsible for establishing user privileges on University of Virginia-owned computers. This standard outlines operational best practices and standardized approaches to help ensure that users of University-owned workstations accessing University data are assigned the minimum level of workstation privileges necessary for successful performance of job duties. This standard also highlights measures that must be taken with increasing privileges and data sensitivity levels in order to ensure the protection of University data and the security of the University network and other resources. Users are also responsible for ensuring they protect University data in accordance with current University Data Protection Standards. This standard applies to all University-owned workstations, with compliance required by March 1st, 2018
2. Standards
Granting of Workstation Privileges
In general, Workstation Managers will set privileges on a workstation for a specific user based on the highest level of sensitivity of the data that user will need to access from that workstation to perform their duties.
If a workstation will be used to access highly sensitive data, that workstation must have a full malware scan before being configured to allow access to that data.
Before granting users access to highly sensitive data, the user’s supervisor or manager must ensure the user has completed required security awareness training in accordance with University Information Security (InfoSec) guidance.
Users are responsible for ensuring they protect University data in accordance with current University Data Protection Standards.
In general, any increased risk assumed by granting increased privileges must be offset by adding compensating controls or holding users to a higher level of accountability for their actions. The level of compensating controls must be based on the sensitivity of the data that will be accessed from a particular workstation:
For data that is “not sensitive,” additional compensating controls beyond baseline security measures could be minimal or non-existent
For data that is “sensitive,” compensating controls must be practical and balanced between ease of use and protection of the information
For data that is “highly sensitive,” compensating controls must provide the highest level of protection for the information possible that will still allow users to accomplish their required duties
Below are procedures Workstation Managers must follow when determining the appropriate level of access to provide a given user on a given workstation. Note that these procedures are not a replacement for sound judgment.
See Table 1 below for a quick overview of workstation privileges. Details are contained in the text following the table.
Minimum-Security Workstation. Must only access data that is not sensitive | ||
---|---|---|
Workstation Privileges | Approval Level | Endpoint Security Software |
User Privileges | Not Applicable | None required in addition to baseline |
Temporary Elevated Privileges (Default) | None required | None required in addition to baseline |
Elevated Privileges | Workstation Manager | Consider (None required) |
Medium-Security Workstation. Must only access data that is sensitive or not sensitive (not highly sensitive) | ||
---|---|---|
Workstation Privileges | Approval Level | Endpoint Security Software |
User Privileges | Not Applicable | None required in addition to baseline |
Temporary Elevated Privileges (Default) | None required | None required in addition to baseline |
Elevated Privileges | Supervisor & Data Security Lead | Consider (None required) |
High-Security Workstation. May access data that is highly sensitive. | ||
---|---|---|
Workstation Privileges | Approval Level | Endpoint Security Software |
User Privileges (Default) | Not Applicable | In monitoring mode (logging) |
Temporary Elevated Privileges | Supervisor and Data Security Lead | With Practical Security Settings (click through) |
Elevated Privileges | Data Security Lead and VP/Dean or their Designee | With Highest Practical Security Settings (whitelisting) |
Table 1:
User Privileges
If users are working with highly sensitive data, Workstation Managers must assign User Privileges as the default level of privilege and install endpoint security software in monitoring mode (as a minimum). Only those user privileges strictly necessary for users to perform their intended duties must be assigned.
User privileges must also be considered in cases where users are able to perform their assigned duties without the need for higher privileges or for workstations that are available for general use (such as those in classrooms or common areas).
Temporary Elevated Privileges
Temporary Elevated Privileges includes:
- Providing users with two accounts, one with user privileges for day-to-day use, and one with elevated privileges for infrequent use when required. Workstation Managers must consider blocking direct access to the account with elevated privileges if doing so will allow users to perform their required duties; this will require the user to use some form of user access control from within the account with user privileges.
- Providing users with a one-time password that allows them temporary elevated privileges
- Installing a tool on the workstation that provides the user with elevated privileges for specific applications.
Workstation Managers must assign Temporary Elevated Privileges as the default level of privilege for university workstations unless that workstation will be used to access highly sensitive data. Workstation Managers must consider assigning user privileges in cases where users are able to perform their assigned duties without the need for higher privileges or for workstations that are available for general use (such as those in classrooms or common areas).
If user require temporary elevated privileges on workstations that will access highly sensitive data, the users must obtain written permission from their supervisor and data security lead prior to being granted the access. This written permission must be reviewed and validated annually. Before granting the privileges, Workstation Managers must install endpoint security software on the workstation with practical security settings (as a minimum).
If the user has two accounts (one with user privileges and one with elevated privileges), users should normally access highly sensitive data only when logged in to an account with user privileges and only log in to the account with elevated privileges when absolutely required.
Elevated Privileges
Whenever elevated privileges are assigned, Workstation Managers must consider whether additional protective measures should be taken such as installing endpoint security software with appropriate security settings.
Workstation Managers may provide elevated privileges upon request for workstations that will only access not sensitive data.
If a user requires elevated privileges on a workstation, they will be using to access sensitive data, the Workstation Manager may grant them privileges as long as the user has obtained written permission from their supervisor and data security lead. This written permission must be reviewed and validated annually.
If a user requires elevated privileges but will need to access highly sensitive data on the workstation, they must first get written permission from their data security lead as well as their dean or assistant vice president equivalent or their designee. This permission may be granted on an individual basis or on a departmental basis by job title or description of duties. Written permission must be reviewed and validated annually. If elevated privileges are granted on a workstation that will access highly sensitive data, the Workstation Manager must ensure that strong compensating controls are put in place, such as installing endpoint security software on the workstation with the highest practical security settings.
Related Information
Exceptions to these standard operating procedures must be approved at the approval level documented in Table 1.
3. Definitions
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
5. Exceptions
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.