Emergency Access via Privileged Access Management Policy
Version 1.0
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to establish a controlled process for gaining Emergency Access to critical systems and applications in situations where standard authentication methods are not possible or practical.
Scope
This IT policy, and all policies referenced herein, shall apply to members of the University community, including administrators, staff, authorized guests, delegates, and independent contractors (the "User(s)" or "you") who use, access, or otherwise employ the privileged access security solution referenced.
Policy Statement
- Emergency access via the University’s privileged access management solution (i.e., CyberArk Vault) must only be used when standard access methods have failed and immediate action is required.
- Information Security and Assurance is responsible for granting and monitoring emergency access.
- Information Security and Assurance must validate the emergency situation before granting access.
- All emergency access activities must be fully logged and monitored.
- All actions taken during the Emergency Access must be audited and reviewed by Information Security and Assurance and DevOps within 24 hours of the event.
- Emergency Access credentials must be rotated immediately after use.
Definitions
CyberArk is a privileged access security solution the University uses to manage and secure credentials.
Emergency Access is extraordinary administrative permission granted for a limited time to resolve an immediate issue.
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Related Policies and Procedures
Non-Persistent Administrative Access Guidelines
Implementation Information
| Review Frequency: | Annual |
|---|---|
| Responsible Person: | Senior Director of IT Security and Assurance |
| Approved By: | CISO |
| Approval Date: | October 30, 2023 |
Revision History
|
Version |
Date |
Description |
|---|---|---|
| 1.0 | 10/30/2023 | Initial document |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.