Enhanced PC User Privilege Procedure

  • Background:

    The university reserves the right to determine the level of user access granted to university-owned desktops and laptops. IUP aligns its practices with industry best practices as articulated in various standards, such as the 20 Critical Security Controls from the SANS Institute. As per the Controls, it is vital to “Minimize administrative privileges and only use administrative accounts when they are required.”

    As such, the university generally limits such access to information technology (IT) staff specifically trained to perform these duties in a manner that helps protect sensitive university assets while supporting vital academic freedom principles (instruction, research, scholarly activity, etc.) without an undue burden.

    However, situations exist in which the user assigned a university-owned desktop or laptop also requires enhanced privileges. The following process is for users to request enhanced privileges. Situations involving shared desktops or laptops, such as computer labs, are beyond the scope of this process.

    Activation, Compliance, and Revocation:

    The user will be required to acknowledge the following restrictions when they submit their request. This is accomplished by the user using their Single Sign-on (SSO) credentials to log in to iforms to submit their request.

    Desktop Services will retain authority to intervene in system and patch management which includes the base software inventory.

    The university will not accept responsibility for patching software the user installed locally or for license compliance related to such software. If the request for enhanced privileges is approved, please keep in mind that the user will be responsible for updating any additional software installed on this PC apart from the base PC install. If vulnerabilities are found with such software, the user will be responsible for bringing the computer into compliance.

    Privileges will be revoked if the PC is compromised and investigation leads to any additional software being the cause.

    IT Services retains the responsibility and authority for directing security-related and inventory scans (sensitive data, unpatched software, unsecured system configurations, lack of updated/operating antivirus software, etc.) as well as performing event logging analysis. Desktop or laptop network connectivity can be temporarily suspended until the user can bring the computer into compliance in keeping with past practice.

    The respective vice president or their designee can direct Desktop Services to revoke the enhanced privileges, as they deem appropriate. The user will be given a written explanation for the revocation.

    Process:

    1. A user receiving either a new or rebuilt university-owned desktop or laptop will be asked if they need enhanced privileges by the assigned IT Services staff person. If the user’s needs suggest enhanced privilege is required, the IT staff person will work with the user to create a request for the privilege, including a very brief explanation (two to three sentences) of the need.
    2. To submit the request, you will need to check the agreement statement below, then click on the Request button. This will require you to log in to iforms to submit your request. You will log in to the system using your MyIUP/network credentials.
    3. Complete the web form in iforms, and click on Submit. This will send a notification to Desktop Services to review your request.
    4. Desktop Services will review the request and engage other IT Services staff members as appropriate to determine the best alternative that balances user needs with the university’s interests in following account management best practices. These options include: a.) permanent enhanced privilege, b.) temporary enhanced privilege (a short window for the user to complete specific tasks), or c.) standard privilege.
    5. Desktop Services will inform the user of the resolution, and the assigned IT Services staff person will set up the desktop or laptop accordingly. In cases where the user does not agree with the resolution, the respective vice president or their designee will review and determine the appropriate action. A user can work with their assigned IT Services staff person if their needs for enhanced privilege then change in the future.
    6. If you have any questions, you can submit an ihelp ticket with your question.

    By submitting this request, you agree to comply with the policies established on this page. This action will require you to log in to iforms.


  •