Technical System Administration Policy

Originally Issued:

April 2015

Contacts:

Download Policy Document (PDF)

Policy:

Every system must have a designated system ownerA full-time UNLV employee who is responsible for the system, knows the function(s) of the system, authorizes access, knows who the data owners are, and understands what data the system stores, processes, or transmits. who is a full-time UNLV employee and is accountable for the system. The system ownerA full-time UNLV employee who is responsible for the system, knows the function(s) of the system, authorizes access, knows who the data owners are, and understands what data the system stores, processes, or transmits. must ensure that the security and access requirements associated with the dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. on the system are in compliance with federal, state, and NSHE statutes, regulations and/or policies established by these groups. 

Technical administratorsIndividuals who manage the system as the system owner or on behalf of the system owner. Technical Administrators have administrative privileges (e.g., adds users, updates operating systems, defines roles, configures the application) and may be responsible for system, application, or user security. Technical Administrators may also be known as Application Administrators, System Administrators, Network Administrators, Database Administrators, etc. must know who the system ownerA full-time UNLV employee who is responsible for the system, knows the function(s) of the system, authorizes access, knows who the data owners are, and understands what data the system stores, processes, or transmits. is and must ensure that the security and access requirements associated with the dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. and/or applications on the system are met.

SystemsDevices and applications accessed via the network. must meet security standards set by the Office of Information Technology (OIT).

SystemsDevices and applications accessed via the network. will be audited periodically by OIT to ensure compliance with federal, state and NSHE statutes, regulations and/or policies.

Related Documents


Statement of Purpose:

The purpose of this policy is to:

  • Keep university systemsDevices and applications accessed via the network. and the dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. they contain secure in order to ensure high availability and to prevent the systemsDevices and applications accessed via the network. from being used for unauthorized purposes.
  • Comply with federal, state, and NSHE statutes, regulations and/or policies.

Entities Affected By Policy:

Entities affected by this policy include system owners and technical administratorsIndividuals who manage the system as the system owner or on behalf of the system owner. Technical Administrators have administrative privileges (e.g., adds users, updates operating systems, defines roles, configures the application) and may be responsible for system, application, or user security. Technical Administrators may also be known as Application Administrators, System Administrators, Network Administrators, Database Administrators, etc..


Who Should Read This Policy:

System owners and technical administratorsIndividuals who manage the system as the system owner or on behalf of the system owner. Technical Administrators have administrative privileges (e.g., adds users, updates operating systems, defines roles, configures the application) and may be responsible for system, application, or user security. Technical Administrators may also be known as Application Administrators, System Administrators, Network Administrators, Database Administrators, etc. should read this policy.


Exceptions:

Exceptions to Password Standards

Any system that will support the requirements in sections 1.1 and 1.2 must be configured to do so. The technical administrator is responsible for educating users of the system on required password standards even if they cannot be mandated by the system. 

If a system does not support the above requirements, the technical administrator must configure passwords of the maximum length and complexity that the system will support. 

Any deviations from the requirements listed in sections 1.1 and 1.2 will require a written exception detailing the compensating security controls in place on the system. All exceptions will be audited periodically to ensure compliance with policy.

To request an exception, please complete the OIT Exception Form.

Exceptions to Security Standards

Currently, there are no predefined exceptions to the Technical System Administration Policy. Exceptions will be made on a case-by-case basis.

To request an exception, please complete the OIT Exception Form.

A written explanation as to why the system or service requires an exception must be submitted (e.g., security patch cannot be applied in an automated fashion due to the applications on the server). Technical documents should be included where available.

To protect sensitive dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. and preserve the integrity of UNLV systemsDevices and applications accessed via the network., OIT staff will work with the requester to:

  • Establish compensating controls for system operation to mitigate risk.
  • Develop an audit schedule to verify the compensating controls remain in place and are mitigating current risks.

Deliberation on exception requests will begin within 10 business days of receipt of the request. Exceptions will be reviewed annually. Periodic audits will be conducted to determine that the conditions for granting the exception are still being met.


Frequently Asked Questions:

Do the policy and associated standards and procedures apply to servers administered by a third party?

Yes, servers administered by a third party on behalf of UNLV or any unit of UNLV (infrastructure as a service) must meet these standards. For each system administered by a third party, a full-time UNLV employee must be named as the system ownerA full-time UNLV employee who is responsible for the system, knows the function(s) of the system, authorizes access, knows who the data owners are, and understands what data the system stores, processes, or transmits.. The company providing technical administration must sign appropriate agreements to:

  • Protect UNLV dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy.
  • Abide by all federal, state, and local laws and regulations that apply to UNLV (e.g., FERPA, HIPAA, PCI-DSS, GLB Act)
  • Comply with UNLV internal policies. 

The UNLV system ownerA full-time UNLV employee who is responsible for the system, knows the function(s) of the system, authorizes access, knows who the data owners are, and understands what data the system stores, processes, or transmits. is responsible for ensuring the third party providing technical administration is compliant with the requirements above.

In the case of software as a service (SaaS), such as Google Apps, Office365, or Workday, contractual arrangements negotiated on behalf of UNLV or NSHE will supersede this document. However, a system ownerA full-time UNLV employee who is responsible for the system, knows the function(s) of the system, authorizes access, knows who the data owners are, and understands what data the system stores, processes, or transmits. must be named to monitor compliance with and changes to contractual agreements and serve as the contact for any security issues that may arise.

Services operated on UNLV’s behalf by System Computing Services require a UNLV system ownerA full-time UNLV employee who is responsible for the system, knows the function(s) of the system, authorizes access, knows who the data owners are, and understands what data the system stores, processes, or transmits. (generally an OIT staff member). The system ownerA full-time UNLV employee who is responsible for the system, knows the function(s) of the system, authorizes access, knows who the data owners are, and understands what data the system stores, processes, or transmits. must monitor compliance with service agreements and governance structures.

What is the timeline for bringing the systemsDevices and applications accessed via the network. I manage into compliance?

The systemsDevices and applications accessed via the network. should be brought into compliance as soon as possible. If you cannot bring all the systemsDevices and applications accessed via the network. for which you are responsible into compliance by December 31, 2015, please contact OIT for assistance.

Due to limits of the system, I do not believe I can meet some of the requirements (e.g., rotating passwords every six months). What should I do?

Contact OIT to discuss possible exceptions and compensating controls. The OIT Policy Exception Form can be found at https://oit.unlv.edu/node/6022.

I am not certain if a given account should be considered a service account or an administrative account. How do I make this determination?

Generally, if the account is being used by a system it is a service account. Accounts being used by a person are administrative accounts. If the account type is not readily apparent, please contact OIT for assistance.

I have test/development system. Does it fall under this policy?

If the test/development system processes, stores, or transmits actual university dataThe observations and information collected or accessed during the performance of services, including protected information and images with a reasonable expectation of privacy. (non-fictitious), the policy applies.