This directive describes the system owner's responsibility for the handling of system administrator permission and the competency criteria required for individuals that are assigned different levels of system administrator permission. The document also describes the responsibilities for individuals who are assigned system administrator permission.
2. Definitions
System administrator permission is defined as permission with privileged rights that allow the user to change fundamental functions and security functions in an information system. System administrator permission has been divided into three levels:
System administrator permission at the technical level is defined as permission at the system level with privileged rights that allow the user to change advanced functions and security functions that can result in significant or very significant impacts on one or more applications and their information content. This could for example regard drift on the server or network level. Ensure security measures at the system level in accordance with the system owner's and operational manager's instructions.
Advanced system administrator permission at the application level is defined as permission with privileged rights that allow the user to change fundamental functions and security functions in an information system that can result in significant or very significant impacts on the application and its information, as well as allowing the user to assign administrative access to the system. Ensure security measures at the application level in accordance with the system owner's instructions.
Basic system administrator permission at the application level is defined as permission with privileged rights that allow the user to change simple functions in an information system with limited impacts on the application and its information, as well as allowing the user to assign access to users in the system without system administrative permission. Ensure access to information in accordance with the system owner's instructions.
System owners have an overall responsibility for administration, drift and security of information systems.
The information owner has a designated responsibility for information within one or more areas of operation.
3. General
The system owner has responsibility for the system and management of permissions. The system owner is also the owner of the system accounts, that is to say accounts that are not assigned to an individual but are used for system services or system functions.
The information owner is responsible for the management of permissions regarding access to information.
In the case that server or application drift is managed by someone other than the system owner, then each respective drift function shall apply management of permission within the framework of, and limited to, the level of permission required to complete the assigned duties. This means that the drift function shall at any point in time, upon request from the system owner, be able to present a summary of those with permission including the level of permission for each system.
This directive is based upon the rules for Umeå University as well as the relevant parts from the Swedish Civil Contingencies Agency's, MSB, regulations MSBFS 2020:7 Chapter 4, §§ 4-5.
4. Directive
4.1. System administrator permission
Management of permission implies a life-cycle perspective regarding permissions. This includes assignment, control and termination of permissions. Decisions related to the management of permissions must be documented and be made available in accordance with the stated conditions for the system.
The principles for assignment of permissions are:
- the assignment of system administrator permission shall be restricted by ensuring that use of system administrator permission is minimised and only used when absolutely necessary.
- individuals shall only have access to the information that is necessary to complete their duties.
- system administrator permission shall only allow access to a limited part of the production environment.
- system administrator permission shall only be granted for fixed periods of time and shall when required, and at least once a year, be reviewed to ensure that the assigned level of permission is correct.
- accounts with system administrator permission shall be used for system administrator permission at the technical and advanced levels.
- designated workstations should be used for system administrative duties at the technical level. These workstations should be isolated from the internet and only contain the necessary software for the intended system administrative duties so that a user, in their daily work, does not use an account with a higher level of permission than necessary.
The following applies for systems connected to the University's central identity infrastructure:
- that a user can have a centrally managed account with system administrator permission on the technical or advanced level for multiple systems, on the condition that MFA can be used for logging in.
- in the case that MFA is not supported then a unique, system specific, centrally managed account with system administrator permission will be assigned.
The following applies for systems that are not connected to the University's central identity infrastructure:
- it is not permitted to use the same name standard for accounts as that used in the central infrastructure.
4.2. System accounts
The system accounts are non-personal accounts that are used, for example, for integrations and other automated system flows.
The following applies to system accounts:
- system accounts shall not be assigned a higher level of permission than that which is absolutely necessary for the specific service or function. Therefore, system accounts which have several different levels of permission within the same system should be avoided.
- system accounts should be system specific.
4.3. Competencycriteria
Individuals who are assigned system administrator permission should have a good understanding of Umeå University's rules and other policy documents regarding information security and IT security.
The system owner and operational manager/closest responsible manager for system drift are responsible for ensuring that all individuals who are assigned system administrator permission have the correct level of competency with regards to, for example, technology and security along with current rules, directives and policy documents. Individuals that are granted access with system administrator permission shall participate in courses, related to information security and IT security at Umeå University, that ITS recommend.
4.4. Responsibility
It is the responsibility of those with system administrator permission to make sure that they keep themselves updated regarding changes to current routines, rules, directives and other relevant policy documents.
Individuals with system administrator permission at the technical or advanced level shall, in accordance with current laws, rules and the system owner's or operational manager's instructions:
· restrict a user's access to IT resources in the case of sufficient grounds for suspicion of violations of the rules or improper use.
· report suspected violations of rules or offences, based on current regulations and laws, and assist the operative manager, different levels of University administration, the incident group, the University management and the Head of IT as well as the police in any investigation into violations of rules or offences based on current regulations and laws.
· obtain consent in the case of review and control of data in information files.
· follow Umeå University's routines for the handling of incidents including specified timeframes.
· work actively to maintain the agreed level of security.
Note that assigned system administrator permission does not include the right to access information in the form of, for example, e-mail or files.
