Privileged Access Service Requirements
Effective date: 06/1/2022
Last update: 06/28/2022
This Service Requirement describes the University's requirements for privileged access of Information Technology (IT) systems and services. Individuals who have operational knowledge and elevated access to Duquesne University IT systems and services are often extended trust and responsibility in their duties. "Privileged Access," provides employees and vendors enhanced access to IT Systems and services. This Service Requirement will outline the security measures and risk mitigation steps required to gain access to sensitive and privileged systems and services.
This Service Requirement applies to all students, employees, affiliates or other members of the community who connect to servers, applications or network devices at Duquesne University.
The requirements to obtain secure access to restricted and privileged University systems and data include:
- Privileged access users must use Duquesne University MultiPass credentials where possible and must comply with the CTS Credentials and Password Service Requirement.
- The Principle of Least Privilege must be followed. Privileged access users must have permissions set to the lowest level of access needed to accomplish their job function. Standard university processes must be used to request and approve all privileged access accounts. Annual review of all privileged access is required.
- Privileged access users should only have access on a Need-to-Know basis. The users should only have access to, and knowledge of, the data needed to do their job function.
- It is the responsibility of each business unit, to utilize a Separation of Duties and Rotation of Duties plan. Separation of duties is achieved by separating roles and responsibilities for a high-risk business process across multiple people. Rotation of Duties is achieved by rotating tasks periodically, so it becomes more difficult for users to collude together to engage in fraudulent behavior. These steps reduce risk to systems and university data, especially in situations where credentials become compromised.
- Appropriate logs must be maintained in a centralized system where integrity and access can be controlled and monitored. Any additional logs must be made available to the Information Security Office for review when requested. Logs shall be reviewed on a regular basis for malicious activity as required by university standards or regulatory compliance.
- Privileged access users' desktop or laptop computers should be university owned and managed by centralized university-controlled endpoint technologies. When utilizing privileged access to university systems, users should, when technically feasible, connect via the university's physical network or use the universities VPN.
- Privileged access users should leverage the University's Beyond Trust (Bomgar) and/or Thycotic Secret Server solutions which limits the exposure and risks to internal systems and services where technical controls and limitations are necessary.
- Individuals with privileged access must respect the rights of the system users, respect the integrity of the systems and related physical resources, and comply with all relevant laws, policies and regulation. In all cases, access to other individuals' electronic information shall be limited to the least perusal of contents and the least action necessary to resolve a situation.
- Privileged access users shall take necessary precautions to protect the confidentiality and integrity of information encountered in the performance of their duties. If, during the performance of their duties, users observe strange activity or evidence indicating misuse, they must immediately notify their supervisor and/or the Information Security Office.
- An individual must login to the privileged access client with their MultiPass credentials to initiate the connection to the sensitive infrastructure or asset.
- Individuals logging into the privileged access systems must also provide a second-factor of authentication via Duo (also known as "multifactor" or "two-factor" authentication).
- A secure, encrypted session will be established from the user's workstation to the privileged access system or server.
Implementing such safe-measures help the University reduce risk of damages related to data loss, data breach, denial of service and other negatively impacting events caused by malicious actors on and off-campus.
Obtaining Privileged Access
Individuals requiring privileged access to sensitive systems and data must file a request with the CTS IT Service Desk (email@example.com) to initiate a "Privileged Access" account request. The requestor will need to list what server(s) they wish to connect to as well as services/ports.
The request will be reviewed and approved by the Information Security Office. The Manager of Secure Integrated Infrastructure will continue the process by provisioning access and provide onboarding support.
An example of Banner test database access would look like this:
The unauthorized or improper use of Duquesne University's technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to T.A.P. 26 - Computing and Ethics Guidelines which can be found at http://www.duq.edu/taps.
The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.
Rotation of Duties/Job Rotation: This is a practice that compels employees to rotate into different jobs or at least rotate some of their duties periodically such as the case as during vacations or personal days off. This helps to deter fraud and to prevent other misdeeds such as sabotage and information misuse.
Separation of Duties: refers to the principle that no user should be given enough privileges to misuse the system on their own. For example, the person authorizing a paycheck should not also be the one who can prepare them. Separation of duties can be enforced either statically (by defining conflicting roles, i.e., roles which cannot be executed by the same user) or dynamically (by enforcing the control at access time).