OSU Navigation Bar

Local Administrative Privilege Standards (LAPS)

Date of Enforcement: November 2009

August 6, 2009

Preamble:

Faculty and staff often have a legitimate need for administrative privilege on their computers. Administrative privileges may be required to install software and updates, perform computer management tasks, or run some software packages.

However, using administrative access for everyday tasks such as reading e-mail or browsing the web carries an increased risk. Malicious software can take advantage of administrative privileges to jeopardize the operational integrity of a computer system. Violated accounts with administrative privileges may allow intruders to disrupt computer or network operations; steal information; or allow unauthorized access to data residing on the system or attached devices. Improperly applied administrative privileges may directly impact the availability of both computing resources and IT professional support. For this reason it is prudent to restrict administrative access to those who truly need it for academic or business needs and to refrain from using administrative access for the most risky tasks.

Routine tasks that do not require administrative access, such as web browsing and reading of email, should be executed using unprivileged accounts. Administrative privileges should be granted under the IT concept of “least privilege”, meaning elevated privileges should only be granted to end-users who have a legitimate need. Tasks should be performed using the most appropriate privilege level.

University units must adopt a Local Administrative Privileges Standard that defines how users will be granted administrative privileges and that clearly defines the processes for requesting, granting/denying, appealing and revoking these privileges. These standards will be reviewed by the Office of the Chief Information Officer for conformity to these requirements, and approved standards will be published. This approach will help ensure some measure of consistency, fairness and transparency to the processes used for managing local administrative privileges at OSU.

Note: The definition of the term “unit” in this document is not meant to represent any particular organizational structure per se, the determination of which parts of an organization requires a local administrative privilege standard is left intentionally vague to allow for differing organizational concerns within the various colleges and VP areas of the university.

The following document outlines the basic requirements to which all Local Administrative Privileges Standards must adhere and gives suggestions to help guide the development of these standards. A development checklist is included with this document. (see Appendix a) The checklist will aid local units in assigning personnel and defining the appropriately empowered faculty and staff members to facilitate standard adoption.

Local Administrative Privileges Standard Requirements:

1. Every department must develop a local administrative privilege approval process or adopt the process developed by the Office of the Chief Information Officer(OCIO). In the absence of a locally developed submission the unit is assumed to have adopted the OCIO developed process.

b. The process must support end users, IT staff and unit administration.

Note: In the case of academic units, end-user representation must include faculty who will be affected by the standard. Faculty representative(s) must be involved in approving the drafted local standard. Once the standard is developed and adopted, faculty representatives must continue to be involved during the regular review of the standard.

A checklist to guide units through the creation of a local administrative privileges standard document is included in Appendix A.

2. The process for assigning administrative privileges must be expressly defined in the standard.

a. The standard document must include the unit position on assigning local administrative privileges. The exception/appeal process handles any case not addressed by the normal user profiles. The standard document must outline the normal procedure a user must follow to request administrative privileges that are needed outside the “default” unit definition.
e.g. “Only IT professionals will have administrative privileges” or “Mobile device (laptops, handheld, netbooks, etc.) users may be granted administrative privileges” but cases may exist where a “normal” user needs administrative privileges and these will be granted based on established exception criteria.
Criteria for making the privilege approval decision must be clearly specified in the standard document.
e.g. “End user privileges are granted based upon the following criteria:
  • The end user(s) utilizes a program that will only function under an account with administrative privileges.
  • The end user(s) regularly operates the computer in an area that does not offer IT professional support such as a location outside university property.
  • The end user(s) regularly operates the computer at times when there is no IT professional support available, such as weekend nights.
  • The user(s) does not rely upon IT professionals for daily support or is her/himself an IT professional.”
b. Decisions about applications for administrative privileges must be made on a timely basis, consistent with the efficient operation of university units. The standard must state the interval within which the requests will be handled.
c. The document must state the length of time an approval is valid and the unit must establish a review process for all approved requests. The review frequency should not exceed an annual cycle.
d. If applications for administrative privileges are denied, end users must be notified in writing of the reason(s) for the decision. Responses must be returned in the same period of time the unit designates to address the initial request.

3. The standard document must include an exception/appeal process by which end users or IT staff can appeal an administrative rights decision (local appeal).

a. The exception/appeal process must be documented in the standard. The unit must designate the actions needed to request an exception to the normal approval process.
b. Appeal/Exception rulings must be documented and clearly explained to the user appealing the initial privilege decision. Responses must be communicated in a timely manor but in no case should it exceed 10 business days.
c. Unresolved end user administrative privilege decisions may be referred to the OCIO or another local “court of last appeal”—such as a unit head or designate—for final arbitration. Whenever possible, units must clearly designate in the standard who is the final arbiter. The finality of the arbitration decision must be stated in the standard.

4. Units must include an educational component in their standard. The increased risk and responsibility inherent in operating with administrative privileges must be adequately explained and users granted these rights must be properly educated regarding these factors.

a. Units may design their own local education materials. End users and IT professionals versed in security should work together to create these materials.

Locally developed materials should be reviewed/updated regularly for continued relevance.

b. A sample training curriculum/outline is available for units.
c. Users should demonstrate in some way that they understand the impact of operating using administrative privileges and the personal accountability this responsibility may bring (e.g. Signed statement of understanding or an evaluation).

5. The unit standard must state the conditions under which administrative privileges may be revoked.

a. The document must outline the process used to make revocation decisions (e.g. whether it can be made by one person or requires review by a committee)
b. The standard must define the notification process (e.g. notification to the user that access has been revoked, why it has been revoked, and how to request reinstatement).
c. The OCIO may get involved in “severe” cases (e.g. data breaches) and may request local units suspend administrative privileges from users involved in security incidents.
d. The reinstatement process should be the same as the appeals/ exception process and described within the standard document. This document should identify any additional considerations involved in reinstatement decisions. Reinstatement decisions must be documented and communicated to the end user in the time frame established for handling initial requests.

6. The Chief Information Officer (or designee) must review and approve unit developed standard documents before adoption.

a. Units should submit draft privilege documents to the Office of the Chief Information Officer by sending them in e-mail to: security@osu.edu. The OCIO will respond to submitted drafts within 10 business days of receipt.
b. Approved standard documents must be posted to a staff and faculty accessible website. Members of a unit should have easy access to this document and the supporting educational or informational materials.
c. On approval, units must advertise the existence of the standard to local users.

7. Local standard documents and processes must be reviewed on a regular basis. The interval may be designed to best suit local resource requirements but should not exceed a biannual cycle.

a. Standards modified through local review must be resubmitted to the Office of Chief Information Officer for approval.

8. The Office of the Chief Information Officer must review this document and should update or modify the standard requirements as necessary on a biannual cycle.

Appendix A - Local Administrative Privilege Standard Creation Checklist

Step 1: Directive creation

  • Review the standard document from the Office of the CIO
  • Standard author(s) should evaluate current use of admin privileges on unit computer systems
  • Classify overall roles of users inside unit: (common examples below)
  • Research
  • Software Development
  • Teaching
  • IT Operations
  • Business Operations
  • Mobile/Traveling Users
  • Special/ Other roles
  • Using the classifications, the author(s) should recommend and document the “default” administrative privilege level for users within unit roles
  • Author(s) should determine the most common cases where users outside default roles can be granted administrative privileges
  • Criteria for granting exceptions should be enumerated and determined for broadest examples. These broad factors should be documented in the standard
  • Process for requesting admin privileges detailed and documented
  • Appeal/exception process to grant privileges documented

Step 2: Directive review/adoption

  • Present standard to internal review committee
    • Academic Units: Committee members must include at least 1 faculty representative
    • Business Units: Committee may be comprised of any individuals assigned by unit management
    • Hybrid Units: Committee must include at least 1 faculty representative (for example a Regional Campus)
  • Committee reviews recommendations from standard author(s)
  • Committee recommends adoption or requests revisions until it is prepared to adopt the standard

Step 3: Final Approval

  • Submit final directive statement to Office of the CIO for review/ recommendations
  • Unit Committee responds to CIO review/recommendations modifies and resubmits or accepts comments and finalizes document
    • Create form/e-mail or create help desk support process for privilege request
    • Train support staff in request procedures
  • Unit publishes final standard document
  • Process goes into practice/requests are accepted.
    • Approvals /denials documented
  • Policy reviewed on regular basis for relevance