Local Administrative Privilege Standards (LAPS)
Date of Enforcement: November 2009
August 6, 2009Preamble:
Faculty and staff often have a legitimate need for administrative privilege on their computers. Administrative privileges may be required to install software and updates, perform computer management tasks, or run some software packages.
However, using administrative access for everyday tasks such as reading e-mail or browsing the web carries an increased risk. Malicious software can take advantage of administrative privileges to jeopardize the operational integrity of a computer system. Violated accounts with administrative privileges may allow intruders to disrupt computer or network operations; steal information; or allow unauthorized access to data residing on the system or attached devices. Improperly applied administrative privileges may directly impact the availability of both computing resources and IT professional support. For this reason it is prudent to restrict administrative access to those who truly need it for academic or business needs and to refrain from using administrative access for the most risky tasks.
Routine tasks that do not require administrative access, such as web browsing and reading of email, should be executed using unprivileged accounts. Administrative privileges should be granted under the IT concept of “least privilege”, meaning elevated privileges should only be granted to end-users who have a legitimate need. Tasks should be performed using the most appropriate privilege level.
University units must adopt a Local Administrative Privileges Standard that defines how users will be granted administrative privileges and that clearly defines the processes for requesting, granting/denying, appealing and revoking these privileges. These standards will be reviewed by the Office of the Chief Information Officer for conformity to these requirements, and approved standards will be published. This approach will help ensure some measure of consistency, fairness and transparency to the processes used for managing local administrative privileges at OSU.
Note: The definition of the term “unit” in this document is not meant to represent any particular organizational structure per se, the determination of which parts of an organization requires a local administrative privilege standard is left intentionally vague to allow for differing organizational concerns within the various colleges and VP areas of the university.
The following document outlines the basic requirements to which all Local Administrative Privileges Standards must adhere and gives suggestions to help guide the development of these standards. A development checklist is included with this document. (see Appendix a) The checklist will aid local units in assigning personnel and defining the appropriately empowered faculty and staff members to facilitate standard adoption.
Local Administrative Privileges Standard Requirements:
1. Every department must develop a local administrative privilege approval process or adopt the process developed by the Office of the Chief Information Officer(OCIO). In the absence of a locally developed submission the unit is assumed to have adopted the OCIO developed process.
Note: In the case of academic units, end-user representation must include faculty who will be affected by the standard. Faculty representative(s) must be involved in approving the drafted local standard. Once the standard is developed and adopted, faculty representatives must continue to be involved during the regular review of the standard.
A checklist to guide units through the creation of a local administrative privileges standard document is included in Appendix A.
2. The process for assigning administrative privileges must be expressly defined in the standard.
- The end user(s) utilizes a program that will only function under an account with administrative privileges.
- The end user(s) regularly operates the computer in an area that does not offer IT professional support such as a location outside university property.
- The end user(s) regularly operates the computer at times when there is no IT professional support available, such as weekend nights.
- The user(s) does not rely upon IT professionals for daily support or is her/himself an IT professional.”
3. The standard document must include an exception/appeal process by which end users or IT staff can appeal an administrative rights decision (local appeal).
4. Units must include an educational component in their standard. The increased risk and responsibility inherent in operating with administrative privileges must be adequately explained and users granted these rights must be properly educated regarding these factors.
Locally developed materials should be reviewed/updated regularly for continued relevance.
5. The unit standard must state the conditions under which administrative privileges may be revoked.
6. The Chief Information Officer (or designee) must review and approve unit developed standard documents before adoption.
7. Local standard documents and processes must be reviewed on a regular basis. The interval may be designed to best suit local resource requirements but should not exceed a biannual cycle.
8. The Office of the Chief Information Officer must review this document and should update or modify the standard requirements as necessary on a biannual cycle.
Appendix A - Local Administrative Privilege Standard Creation Checklist
Step 1: Directive creation
- Review the standard document from the Office of the CIO
- Standard author(s) should evaluate current use of admin privileges on unit computer systems
- Classify overall roles of users inside unit: (common examples below)
- Software Development
- IT Operations
- Business Operations
- Mobile/Traveling Users
- Special/ Other roles
- Using the classifications, the author(s) should recommend and document the “default” administrative privilege level for users within unit roles
- Author(s) should determine the most common cases where users outside default roles can be granted administrative privileges
- Criteria for granting exceptions should be enumerated and determined for broadest examples. These broad factors should be documented in the standard
- Process for requesting admin privileges detailed and documented
- Appeal/exception process to grant privileges documented
Step 2: Directive review/adoption
- Present standard to internal review committee
- Academic Units: Committee members must include at least 1 faculty representative
- Business Units: Committee may be comprised of any individuals assigned by unit management
- Hybrid Units: Committee must include at least 1 faculty representative (for example a Regional Campus)
- Committee reviews recommendations from standard author(s)
- Committee recommends adoption or requests revisions until it is prepared to adopt the standard
Step 3: Final Approval
- Submit final directive statement to Office of the CIO for review/ recommendations
- Unit Committee responds to CIO review/recommendations modifies and resubmits or accepts comments and finalizes document
- Create form/e-mail or create help desk support process for privilege request
- Train support staff in request procedures
- Unit publishes final standard document
- Process goes into practice/requests are accepted.
- Approvals /denials documented
- Policy reviewed on regular basis for relevance