Emergency Access via Privileged Access Management Policy
Version 1.3
For Students, Faculty, Staff, Guests
Purpose
The purpose of this policy is to govern the controlled granting of Emergency Access to critical systems and applications when standard authentication methods are not possible or practical.
Scope
This IT Security policy, and all policies referenced herein, shall apply to members of the University community, including administrators, staff, authorized guests, delegates, and independent contractors (the "User(s)" or "you") who use, access, or otherwise employ the privileged access security solution referenced.
Policy Statement
- Emergency Access provided by the University’s privileged access management solution (i.e., CyberArk Vault) must only be used when typical non-persistent methods have failed, and immediate action is required.
- Information Security and Assurance is responsible for approving and monitoring Emergency Access.
- Information Security and Assurance must validate the emergency situation before access is granted.
- All Emergency Access activities must be fully logged and monitored.
- All actions taken during the Emergency Access must be audited and reviewed by Information Security and Assurance and DevOps within 24 hours of the event.
- Emergency Access credentials must be rotated immediately after use.
Definitions
CyberArk is a privileged access security solution that the University uses to manage and secure credentials.
Emergency Access is an extraordinary administrative permission granted for a limited time to resolve an immediate issue.
IT Resources include computing, networking, communications, applications, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Related Policies and Procedures
Non-Persistent Administrative Access Guidelines
Implementation Information
| Review Frequency: | Annual |
|---|---|
| Responsible Person: | Senior Director of IT Security and Assurance |
| Approved By: | CISO |
| Approval Date: | October 30, 2023 |
Revision History
|
Version |
Date |
Description |
|---|---|---|
| 1.0 | 10/30/2023 | Initial document |
| 1.1 | 11/20/2024 | Updated policy statement and related links |
| 1.2 | 03/10/2025 | Updated policy statement |
| 1.3 | 03/27/2026 | Updated policy statement |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.