Guideline for Privileged Account Management

I. PURPOSE

The purpose of this document is to provide guidance in meeting the university’s obligation to ensure that user access to systems and services is based upon authorization and that unauthorized access is prevented. It is the responsibility of all system owners to determine appropriate controls, rules, access rights and restrictions for their information or information systems.

II. SCOPE

This guideline applies to UNC Charlotte faculty and staff and other authorized users with privileged access to information systems and network resources that store level 2 or level 3 data or that support mission critical university, college, or departmental functions.

III. CONTACTS

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance ISCompliance-group@uncc.edu.

IV. GUIDELINES

A. Definition of Privileged Accounts

A privileged account is an account that by virtue of function and/or security access, has been granted special privileges within an information system or network resource that are significantly greater than those available to the majority of users. See this FAQ to learn more about when a privileged account should be used.

These accounts have special administrative or elevated privileges that may include the ability to do any or all of the following on a global basis within the system or network resource:

  • administer users (add, remove, disable accounts, or modify permissions),
  • make or affect configuration or other changes,
  • secure, control, manage, or monitor access.

B. Use of Privileged Accounts

A privileged account, which is separate from and unrelated to an individual’s standard NinerNET user account, must be used when performing administrative duties and other elevated functions within a system or application. The allocation and use of privileged accounts should be restricted and controlled. Individuals with privileged access must not abuse their access capability, must respect their functional access authority limits, the rights of the system users, the integrity of the systems and related information resources, and must comply with relevant university policies, standards, and guidelines.

C. Assignment of Privileged Accounts

Privileged accounts should only be granted to authorized individuals. The level of access granted should be verified and appropriate based on business purposes and other security controls. Authorization for privileged accounts will be governed by the owner of the system or application. The system or application owner is responsible for maintaining documentation recording those individuals who have been granted privileged accounts.

  • Individuals with privileged access have two unique accounts:
    • a standard NinerNET account used for normal day-to-day activities including logging in to the individual’s primary workstation;
    • a privileged account used strictly for performing administrative duties and other elevated functions.
  • Where technically feasible, the privileged account should be centrally managed. See this FAQ for instructions on requesting an account.
  • If the privileged account is not centrally managed, it should follow the standard naming convention, where feasible, and comply with the Standard for Account Passwords.
  • Individuals may use a single privileged account when managing multiple systems.
  • Individuals with privileged accounts should not use their account for unauthorized viewing, modification, copying, or destruction of system or user data.
  • Individuals with privileged accounts have a responsibility to protect the confidentiality of any information they encounter while performing their duties.

D. Privileged Account Access Review Process

A formal privileged account review process should be developed by the owner of the system or application. The review should be conducted at least annually and documentation of the review should be retained for audit and compliance purposes.

The following actions should be taken:

  • Remove or disable any privileged accounts belonging to individuals who have left the university;
  • Remove or disable any privileged accounts for individuals who no longer require the account based on their current job function;
  • Ensure that no unauthorized privileged accounts have been created.

RELATED RESOURCES

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by the Information Assurance Committee 6/06/19
Updated 3/03/22