Administrator Access and Co-Support

Approval Process

Storing or manipulating sensitive data classified as restricted or critical is prohibited on self-managed systems without the explicit approval of the College Leader of Information Security & Policy. Further information is available regarding the classifications of sensitive data as well as via the comprehensive Data Sharing and Handling tool.

If you want administrator access to an College-managed system or a self-managed system, please submit the approval request form:

Request For Administrative Privileges

Submitted requests will be evaluated and you will receive notification of approval or rejection.

Once a request is approved by the sponsoring faculty (for non-faculty) and the College Leader for Information Security & Policy the appropriate permissions will be granted.

Documentation

These permissions will be documented via the help desk ticket. Notes will be added to the comments section of the corresponding hardware database using the #admin, #co-support and #self-manged tags and the help desk ticket number documenting the approval will be added to the database entry. This is done as follows:

1. Add a tag like "#admin username" or "#self-manged username" to the comments section for the database entry, where username is the IU username of the user who was granted administrator rights
2. Add the help desk ticket number to the"INC#" field in the hardware database.

Verification

Verification of self-managed system configuration will be performed to ensure that the open services match those noted in the submitted Administrative Privilege request form. The Qualys security scanner will be used to detect vulnerabilities and College IT staff and the administrative user will be required to resolve all reported problems.

Administration Requirements

The administration of the system must follow IU policy IT-12 Security of Information Technology Resources as well as College IT policies including IT Policy: Workstation Security and IT Policy: Mobile Device Security. Below is a summary of the key requirements all system must follow to be in compliance with IU and College IT policy and requirements:

Admin Access - Normal day-to-day usage of the system must be done using non-privileged accounts. When elevated privileges are needed, dedicated admin accounts or sudo must be used. Do not elevate your normal account to have administrative privileges.

Firewall - A host based firewall (eg linux iptables or Windows firewall) must be used to limit open ports to only those explicitly required. College-managed systems will have this enabled by default and you must not disable it.

Passphrases - All accounts must have passphrases that meet the IU Passphrase Requirements. College-managed systems will use normal IU passphrases and that configuration must not be changed.

Accounts - Accounts on College-managed systems should not be created without College IT approval. On self-managed systems, accounts should be given to each individual needing access. The use of shared group or guest accounts is not permitted without College IT approval.

OS Updates - College-managed systems will be configured to receive OS updates automatically and this should not be disabled. Self-managed systems must be running an operating system that is currently supported by the OS provider and actively receiving security patches. The system must be configured such that security updates are automatically applied. If this is not possible, and it can only be done manually, then security updates must be performed using the standard 24/48/72 hour time table for high/medium/low risks.

Application Updates - Application updates not covered by normal OS updates should be automated if at all possible. When manual updates are required, security updates must be performed using the standard 24/48/72 hour time table for high/medium/low risks . For network-accessible applications (such as Wordpress, Drupal, DokuWiki, other web services, databases, etc) administrators should subscribe to announcement mailing lists so they are notified of new releases and apply security updates immediately.

Sensitive Data - No sensitive data is allowed on self-managed systems without approval of the College Leader for Information Security & Policy. This includes all sensitive data in the critical, restricted, and university-internal categories as defined by Management of Institutional Data (DM-01). Administrators must take necessary steps to insure that no sensitive data is stored on the system. If any sensitive data is ever discovered on the system, report it immediately to the College IT group. For further information about the handling of classification of sensitive data, see the comprehensive Data Sharing and Handling page.

SSL/Encryption - All authentication must be done over secure channels to ensure that passphrases are never sent over the network in cleartext.

Anti-Virus Software - College-managed will have the required anti-virus software installed and it should not be removed or disabled. Self-managed systems must use anti-virus software, when available.

External Scans - All College systems are subject to external vulnerability scans and the system administrator must commit to remediate all detected vulnerabilities.

Mobile Devices - All mobile devices must comply with Mobile Device Security Standard which includes whole disk encryption for laptops and passcodes for phones and tablets.

Reporting - Any security breaches must be reported immediately per IT Policy: Incident Response