Local Administrative Access Procedures on Pima Workstations

 

Operational Standards and Procedures

Administrative Access on Pima Workstations

 

Document Maintainers:                   Information Security Group

Approvers:                                        Security Operations

Draft Date:                                         11-18-2020

Date of Adoption:                             11-23-2020

Review Cycle:                                   Yearly

Version:                                             1.1

Security Level:                                  Internal Use


SECTION 1:   PURPOSE:

This standard applies to all employees of Pima Community College and information technology machines owned by Pima Community College.

The granting of administrative rights to an employee of Pima Community College over an individual desktop, laptop, or other end-user device is a privilege only awarded to individuals who require this level of access and control in order to do their jobs effectively. The goal of this standard is to describe the circumstances under which administrative rights can be granted as well as the terms and conditions upon which this privilege will be granted|.

The granting of administrative rights allows the individual to change the configuration settings of a given machine and install software on that machine. As a result, these rights can expose the Pima Community College network to malware and other security exploits. In addition, incorrect configuration of machines can lead to performance problems, potentially resulting in machine downtime, lost productivity, and higher support costs.

Given the serious consequences of mishandling or abuse of administrative rights, these rights will only be granted under the condition that they are essential for the performance of the grantee’s job. Such conditions could include the following:

  • The ability to download and install specific types of software or configure system settings is mandated in the individual's job description.
  • An administrative rights access level is required for a necessary software title to run on a given machine. The software must go through the vendor security evaluation process and be part of the College portfolio of approved software.
  • Sufficient levels of IT support do not exist due to time-of-day, geographical, or expertise constraints.

 

Typically, the only individuals at Pima Community College who are granted administrative rights include:

Job Title

Requirements for Administrative Rights

Information Technology Technician/Specialist

Set up desktops and laptops for end users. Provide desk-side and remote support to desktop and laptop users.

Information Technology Supervisor

Responsible for performing supervisory and advanced technical lead duties including overseeing and coordinating information technology activities between/among campuses and district Information Technology department.

 

 

Note: Members of the IT Department are not automatically granted administrative rights based on their membership in the IT department alone.

If you do not hold one of the job titles described in the table above, then you will need to apply and gain approval for administrative rights if you believe it is required by your job. To apply for administrative rights, please use the Administrative Rights Application Form located at the end of this policy document. The designated authorities of the IT Department reserve the right to deny the application if it does not represent a clear business need or if the applicant has a documented history of security policy violations.

 


SECTION 2:   REQUIREMENTS FOR USERS GRANTED ADMIN RIGHTS:

Software Security Evaluation Required

All grantees are required to submit any software through the security evaluation process if the software will store, transmit or interface with confidential or regulated data.

Data Classification Standards

All grantees are required to be familiar with the College’s data classification standards. Supervisors must sign off that their employee understands the level of data they have access to.

Strong Password

All grantees are required to have a passphrase for their password to login to their machine.

Security Awareness Training

The grantee must have completed the current years of Security Awareness Training. It is the supervisor’s responsibility that the grantee has taken the training.

Record and Information Management Training

The grantee must have completed mandatory training on Information Management. It is the supervisor’s responsibility that the grantee has taken the training.


SECTION 3:   PROCEDURES:

When possible, it’s recommended that end-users consult with local campus I.T first before submitting a local admin request to cybersecurity for evaluation in TDX. If local campus I.T cannot find an alternative that elevates the need, then direct the user to submit a request from step 1 below. Note: end-users will be required to submit either a screenshot or a pdf copy of the certificate of completion of “Record Management Online Course" and "Security Awareness for End Users" from MyCareerCenter in the TDX ticket.

Step

Action

Responsibility

1

The user places a Local Admin Request via TDX. (TDX catalogue >IT security>Local Administrator Request)

https://service.pima.edu/TDClient/1920/Portal/Requests/ServiceDet?ID=41182

 End User

2

  • Check for business justification. Is it job-related? Does Campus I.T. have any alternatives that elevate the need for the user to have local admin access?
  • Has the user-submitted proof of the 2 completed IT Trainings? ("Record Management Online Course" and "Security Awareness for End Users")
  • Does the user meet the criteria up above? If so, approve, If not, the user will need to revise the form or provide more context.
  • Check for all signatures and workstation asset tag.

Cybersecurity

3a

  • Windows Computers Only:
    • open computer management
    • go to local users and groups
    • right-click users, choose "New"
    • User name: local_[user's MyPima username] (ex: local_kjduke)
    • Description: local admin account for [user's name]
    • Password: Refer to Strong Password Guidelines
    • Uncheck: "User must change password at next logon"
    • Click create and then close the window
    • Open Groups, right-click on administrators, and choose "Add to group"
    • Click the Add... button
    • change the location to the computer that you're on
    • enter the user's local account
    • click ok, then apply
    • have the user login with the account to set the password. advise the user that the account is only to be used in administrative account prompts due to the lack of domain resources that will be available from the account.

USS/Campus IT

3b

  • Apple computers Only:
    • Login to https://pccjamf.jamfcloud.com
    • Go to Computers > Static Computer Groups > Local Administrator Group 
    • Click edit, scope search the device name, select the device, save
    • Tell user to open Self Service app from Launchpad or Application folder
    • The app will be called “Make Current User Admin,” have the user run it
    • It will run once per computer.
    • Their standard account will turn into an Administrator account.

USS/Campus IT

4

If approved, add the user, asset tag, local account username, and the approval of creation date to the Google Sheet "Local Administrator user Approvals"

  • This list provides something to audit local administrator account reports against, so ensuring the list is updated is paramount.

Cybersecurity

 

SECTION 4:   EXEMPTIONS:

None.


SECTION 5:   ALIGNMENT TO COLLEGE POLICIES:

This operational policy aligns with the following policies for the College (AP and BP):

  1. AP 9.01.01   AUP
  2. AP 9.01.03  Security of the Information Technology Infrastructure
  3. AP 9.01.08  Information Management Standard

SECTION 6: DOCUMENTS/RESOURCES NEEDED FOR THIS SOP:

Google Sheet – Local Administrator User Approvals.

Data Classification Handbook           


SECTION 7:   RECORDS:

Local Administrators Folder – IT-USS-Systems-Security

Details

Article ID: 94605
Created
Tue 12/17/19 11:39 AM
Modified
Mon 11/23/20 6:43 AM