UIS.301 Elevated Privileges Management Policy

300. Identity and Access Management

Purpose 

Georgetown University Information Services has developed and implemented the Elevated Privileges Management policy and procedures in order to minimize risk to the University’s information systems, data, and its faculty, staff, and students through the use of high-privilege user accounts. Directed by the Chief Information Security Officer (CISO), these policies set the information security standards for the provision, management and use of administrative accounts. 

Elevated privileges can allow an individual to install applications, change system configurations and other settings, access or modify server systems and their data, and modify the privileges of other users. Any compromise of these accounts presents opportunities for unauthorized access and intentional harm to University systems and data.  

Scope 

The elevated privileges management policy and supporting requirements are applicable to all activities in which an individual is engaged as an employee or contractor in any role with privileges to administer systems or data (Extended Data Access). Employees with extended data access include staff and contractors working directly for or in partnership with UIS Operations, UIS Information Security, UIS Ed Tech, UIS Administrative Applications, and University Facilities/Power Plant. 

Policy 

Georgetown University has adopted the security audit and accountability principles established in NIST SP 800-53 “Access Control” guidelines as the official policy for this security domain. Each system administrator, system owner, and elevated privileges account holder must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.

Georgetown staff and account holders will have privileges appropriate for the scope of their job responsibilities. Any systems or network users are, by default, not granted elevated privileges. Elevated access to Georgetown resources should only be used when such access is necessary to carry out specific duties related to an administrator’s role. Elevated privileges shall not be used to conduct duties that do not specifically require that level of privilege. Staff and contractors with administrative privileges are required to read and sign the “Elevated Privileges Responsibility Agreement.” 

The provision, use, actions, and de-provision of elevated privileges will be authorized, monitored, logged, and audited periodically by appropriate internal and external reviewers.