Enhanced PC User Privilege Procedure FAQ

What has changed in the way IUP employees obtain/retain privileges to perform "advanced functions" on university-owned desktops and laptops assigned to them, such as downloading, installing, and updating software for themselves?

To better protect both university employees and the integrity of the university's computing environment, IUP is making "standard privilege" the default privilege level on all university-owned desktops and laptops assigned to an individual. Additionally, a procedure for requesting (or keeping) enhanced privileges when standard privilege is insufficient (for instance, if the user must download, install, and/or update certain software for themselves) is now in place. Only employees seeking to obtain or retain enhanced privilege need to interact with the new procedure.

Why is IUP making this change?

In Fall 2012, at the request of President Driscoll, university IT leadership began an intense research project into best practices for information security in higher education. The goal of the initiative was to determine how the university could improve protection of sensitive data and other digital assets and preserve the concepts of academic freedom, exploration, and scholarship, within the constraints of the current economic climate.

One key finding of this research was that IUP did not adhere to a "Critical Security Control" recommended by the SANS Institute: "minimize administrative privileges and only use administrative accounts when they are required." As a result, a new procedural framework for requesting and granting enhanced privileges was created by IT leadership, approved by President Driscoll, and submitted to a team of faculty and IT leadership who developed the procedure's logistics and this FAQ.

How does this change help IUP and members of the university community?

Enhanced PC privileges create added risk to the university. For example, malicious software often uses these privileges to compromise sensitive data, allows an intruder to gain control of the PC, or violate the integrity of the university computing network. Even if no malicious software is involved, enhanced privileges may allow a user to inadvertently perform actions that compromise the computer's security or stability, or install or use software in a manner that does not comply with its license.

The establishment of the standard privilege baseline greatly reduces the likelihood of such events occurring, and may ease IT support efforts by ensuring that the software environment of most PCs they support will not contain non-standard software, processes, or services. Finally, it is beneficial to the university community to establish a uniform procedure through which all employees with legitimate need for enhanced privilege can request and gain such access.

When will this procedure be implemented?

Desktops and laptops purchased by the university after March 31, 2014, and assigned to an individual will be deployed using the new procedure, as will current PCs when assigned to a different employee. This procedure will also be used for PCs purchased before that date if the employee desired to have their privilege changed.

The procedure refers to "enhanced privilege." How is this different from administrative access ("Admin. Privs.") in Windows?

The term "enhanced privilege" encompasses any additional user privilege above the standard user privilege regardless of the operating system. The use of this term is also used in recognition of the fact that future security options might become availableoffering more user options while preserving university protections.

Will users of university-owned desktops and laptops that currently have "standard privilege" be able to receive "enhanced privilege" via this new procedure?

Yes. Any user who believes they have a need for enhanced privilege and is willing to formally accept the additional responsibility may request it.

The procedure includes the option of "temporary enhanced privilege." If this option is granted to a user that installs software during that time, how can they upgrade that software in the future if the privilege is removed?

This option exists for situations in which a user has specific tasks that require this privilege and the issues of upgrade/patch installs will be addressed with the user's IT staff support person at the time the temporary privilege is granted.

Does the procedure apply to operating systems other than Windows and Mac OS?

Yes, although other operating systems may result in variations of procedure logistics and will be handled with the user on a case-by-case basis.

How can an individual request enhanced privileges for shared desktops and laptops (e.g., lab computers or student worker computers?)

This procedure has no impact on current methods for supporting shared desktops and laptops, and current procedures will apply.

Who is eligible to request enhanced privileges?

The Enhanced PC User Privilege Procedure is available to all users who have been assigned a university-owned desktop or laptop for their individual use.

Does the procedure apply to university-owned tablet and smartphone devices?

No. IUP currently uses its Mobile Device Guidelines to consider best practices in securing these devices.