Revoking Information Technology Resource Privileges Procedures

Table of Contents

1.  Purpose and Background
2.  Procedures
     a) Scenarios Resulting in Disconnection from the Network
     b) Scenario 1 - Low Risk Issue - Network Privileges are Not Revoked
     c) Scenario 2 - Corrective Procedures Fail or Are Not Followed
     d) Scenario 3 - Risk Posed to IT Resources is High
     e) Scenario 4 - Repeated Low and Medium Risks to IT Resources from a Single Source
     f) Scenario 5 - Account Access Revoked Due to University Policy or Applicable Law Violations
     g) Appeals
3.  Definitions
4.  Related Links
5.  Exceptions

[Return to Library]

1. Purpose and Background

Information Technology Services (ITS), University Information Security (InfoSec), and Health Information and Technology (Health IT) representatives are responsible for minimizing risk to University of Virginia IT resources including, but not limited to network integrity, information technology (IT) resource availability, confidentiality of sensitive data, and certain non-compliance issues while maintaining business continuity. When University IT resources and privileges are impacted by a network-connected device or account, it may become necessary for Information Technology Services (ITS), University Information Security (InfoSec), or Health Information and Technology (Health IT) representatives to revoke IT resource privileges from the offending device or account.  This document highlights the procedures followed when revoking privileges under certain scenarios. This procedure applies to all devices and accounts connected directly or indirectly to the UVA network, regardless of location or affiliation.

[Table of Contents]

2. Procedures

Issues caused by devices or accounts will not normally result in the revocation of IT resource privileges.  Only when collaborative efforts to resolve the issue fail, and/or when the account or device poses an immediate or significant threat to other IT resources, as determined by ITS, InfoSec, or Health IT staff, will network privileges be revoked.  In all cases, ITS, Health IT, or InfoSec staff, as appropriate, will work with the user(s) associated with the anomaly to ensure that any interruptions in network connectivity are as brief as possible.

Scenarios Resulting in Disconnection from the Network

The following scenarios outline the procedures followed when ITS, Health IT, or InfoSec staff determine that the risk or potential risk due to the anomaly, outweighs the impact a network access interruption would cause.

Scenario 1 – Low Risk Issue - Network Privileges Are Not Revoked

This scenario details the procedure followed when a low risk anomaly associated with a network-connected device or account occurs.  The risk or potential risk due to the anomaly, particularly when quickly addressed, is outweighed by the impact a network access interruption would cause:

  1. Information Technology Services (ITS), University Information Security (InfoSec), or Health Information and Technology (Health IT) representatives or another owner/overseer observe or receive a report of an anomaly.
  2. Research is performed by relevant technical staff to determine the source of the issue and the responsible party.
  3. The user/owner/overseer associated with the device or account is notified via email of the specific vulnerability and hardware details, including IP address, MAC address, and the Date/Time of the observed issue.
  4. The user/owner/overseer is presented with steps for correcting the anomaly, if a known remediation exists.
  5. Users/owners/overseers will take the prescribed steps and reply to email to update the ticket, or otherwise notify ITS, InfoSec, or Health IT staff indicating that the issue has been resolved.
  6. The relevant ITS, InfoSec, or Health IT staff confirm that the issue has been resolved.

Scenario 2 – Corrective Procedures Fail or Are Not Followed

Users/owners/overseers are either unable to take the prescribed corrective steps, or the prescribed steps fail to resolve the issue:

  1. Information Technology Services (ITS), University Information Security (InfoSec), or Health Information and Technology (Health IT) representatives or another owner/overseer observe or receive a report of an anomaly.
  2. Research is performed by relevant technical staff to determine the source of the issue and the responsible party.
  3. The user/owner/overseer associated with the device or account is notified via email of the specific vulnerability and hardware details, including IP address, MAC address, and the Date/Time of the observed issue.
  4. The user/owner/overseer is presented with steps for correcting the anomaly, if a known remediation exists.
  5. The user/owner/overseer will reply to the email to update the ticket, or otherwise notify ITS, InfoSec, or Health IT staff indicating that the issue has not been resolved.
  6. The relevant ITS, InfoSec, or Health IT staff, upon receiving this notice or before, determine that the device or account should be disconnected while remediation attempts continue.
  7. Users/owners/overseers will reply to the email to update the ticket indicating that the vulnerability has been remediated.
  8. ITS, InfoSec, or Health IT staff will confirm that the issue has been resolved and will allow the updated device or account to reconnect.  Otherwise, device access will continue to be blocked until the issue has been resolved.

Scenario 3 – Risk Posed to IT Resources is High

InfoSec, Health IT, or ITS representatives determine that the risk associated with a device or user account to University IT resources is extraordinarily high and quickly revoke network privileges in order to protect the UVA network environment while the threat is remediated. This includes availability as well as confidentiality and integrity risks.

  1. Information Technology Services (ITS), University Information Security (InfoSec), or Health Information and Technology (Health IT) representatives or another owner/overseer observe or receive a report of an anomaly.
  2. Research is performed by relevant technical staff to determine the source of the issue and the responsible party.
  3. The relevant ITS, InfoSec, or Health IT staff determine that the device or account poses an immediate and serious threat and should be disconnected while remediation attempts continue.
  4. The user/owner/overseer associated with the device or account is notified via email of the specific vulnerability and hardware details, including IP address, MAC address, and the Date/Time of the observed issue.
  5. The user/owner/overseer is presented with steps for correcting the anomaly, if a known remediation exists.
  6. Users/owners/overseers will reply to the email to update the ticket indicating that the vulnerability has been remediated.
  7. ITS, InfoSec, or Health IT staff will confirm that the issue has been resolved and will allow the updated device or account to reconnect.  Otherwise, access will continue to be blocked until the issue has been resolved.
  8. ITS, InfoSec, or Health IT staff will confirm that the issue has been resolved and will allow the updated device to reconnect.  Otherwise, device access will continue to be blocked until the issue has been resolved.

Scenario 4 – Repeated Low and Medium Risks to IT Resources from a Single Source

Accretion of repeated low to medium risk incidents and/or lengthy duration of low to medium risk associated with a specific user or device results in too great a threat to UVA IT resources to allow continued access.

  1. Information Technology Services (ITS), University Information Security (InfoSec), or Health Information and Technology (Health IT) representatives or another owner/overseer observe or receive a report of an anomaly.
  2. Research is performed by relevant technical staff to determine the source of the issue and the responsible party.
  3. The relevant ITS, InfoSec, or Health IT staff revoke device or user account access after determining that the cumulative threats from repeated incidents or length of exposure to a vulnerability caused by the device or user equate to a serious and immediate threat.
  4. The user/owner/overseer associated with the device or account is notified via email of the specific vulnerability and hardware details, including IP address, MAC address, and the Date/Time of the observed issue.
  5. The user/owner/overseer is presented with steps for correcting the anomaly, if a known remediation exists.
  6. Users/owners/overseers will reply to the email to update the ticket indicating that the vulnerability has been remediated.
  7. ITS, InfoSec, or Health IT staff will confirm that the issue has been resolved and will allow the updated device or account to reconnect.  Otherwise, device or account access will continue to be blocked until the issue has been resolved.
  8. ITS, InfoSec, or Health IT staff will confirm that the issue has been resolved and will allow the updated device or account to reconnect.  Otherwise, device or account access will continue to be blocked until the issue has been resolved.

Scenario 5 – Account Access Revoked Due to University Policy or Applicable Law Violations

Network privileges are revoked either temporarily or permanently when University compliance representatives believe that such privileges pose a threat to IT resources or violation of University policy or applicable law.  Procedures differ from those followed above.

  1. Information Technology Services (ITS), Universit Information Security (InfoSec), or Health Information and Technology (Health IT) representatives receive a request for revoking IT resource access from University representatives with the authority to request such access terminations.
  2. The relevant ITS, InfoSec, or Health IT staff revoke access.
  3. Privileges may or may not be restored, depending on the business processes followed for the violation.

Appeals

With respect to all scenarios except for scenario 5, the owner of an impacted system or account who believes that the threat that the system posed is outweighed by the impact caused by revoking privileges may appeal the decision by providing justification in writing to the Chief Information Security Officer (CISO). The CISO or his designee will balance the value of restoring the device or account access and/or any compensating controls used against the associated risks and act accordingly.

[Table of Contents]

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: Chief Information Security Officer