ADMINISTRATOR ACCESS POLICY

Purpose

The purpose of this Guideline is to instruct users on appropriate use of Administrator Access to SQETCH Studio (“Studio”) computing and information resources and to aid in the interpretation of requirements set forth in the infosec security handbook.

Scope

This Guideline applies to all Studio system and application administrators and any other personnel who are provided with Administrator Access to Studio computing and information resources.

Definitions

Administrator Access is defined as a level of access above that of a normal user. This definition is intentionally vague to allow the flexibility to accommodate varying systems and authentication mechanisms. In a traditional Microsoft Windows environment, members of the Power Users, Local Administrators, Domain Administrators and Enterprise Administrators groups would all be considered to have Administrator Access. In a traditional UNIX or Linux environment, users with root level access or the ability to sudo would be considered to have Administrator Access. In an application environment, users with ‘super-user’ or system administrator roles and responsibilities would be considered to have Administrator Access. In theory, this guidance applies to any user account in that utilization of access rights is reserved solely for the intended business purpose.

Non-public Information is defined as any information that is classified as Restricted Information (both Moderately Sensitive and Highly Sensitive) according to the Studio Guidelines for Data Protection.

APPROPRIATE USE OF ADMINISTRATOR ACCESS

Administrator Access to Studio computing resources should only be used for official Studio business. Use of Administrator Access should be consistent with an individual’s role or job responsibilities as prescribed by management.  When an individual’s role or job responsibilities change, Administrator Access should be appropriately updated or removed.  In situations where it is unclear whether a particular action is appropriate, and within the scope of current job responsibilities, the situation should be discussed with Studio management. 

Users with Administrative Access may be required to perform some security activities such as software or operating system patching and updates, as well as monitoring for unusual activity.  If a security incident is suspected, no additional actions should be taken before consulting with the Studio management in accordance with Information Security guidelines.

INAPPROPRIATE USE OF ADMINISTRATOR ACCESS

The following constitute inappropriate use of Administrator Access to Studio computing resources unless documented and approved by management:

• Circumventing user access controls or any other formal Studio security controls

• Circumventing any other formal Studio computing controls

• Circumventing formal account activation/suspension procedures

• Circumventing formal account access change request procedures

• Circumventing any other established Studio procedures that are approved by some level of management

The following constitutes inappropriate use of Administrator Access to Studio computing resources under any circumstances, regardless of whether there is management approval:

• Accessing Non-public Information that is outside the scope of specific job responsibilities

• Exposing or otherwise disclosing Non-public Information to unauthorized persons

• Using access to satisfy personal curiosity about an individual, system, practice, or other type of entity.

*Note: If an account or a machine with Administrator Access is believed to be compromised, users with Administrator Access should NOT perform any type of digital forensics and notify Studio management immediately for further investigation.