Policy Introduction and Purpose

This Privileged User Account Management Policy is a sub-policy of the User Account Management Policy (IS05).

It sets out the requirements for the effective management of privileged user accounts and access rights. 

The management of, and compliance with, this policy is essential in order to ensure that access to the University’s information and information systems is restricted to authorised users. 

Scope and Definitions

This Policy applies to all privileged users. Users with privileged accounts only on their own devices are currently out of scope. However, this is under review. 

Glossary of terms 

• Privileged account 
  Named credentials that have been granted administrative privileges on one or more devices. 

• Privileged user 
  A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform by virtue of being issued with a Privileged account. 
• IT Staff

Employees who are members of the Information and Digital Group, or who provide local IT support in other departments. 

Responsibilities

Principles of this Policy

User Account Eligibility

Privileged User accounts will only be provided to eligible IT Staff who have undergone suitable training in the use of such accounts.

Account Lifecycle

Privileged User accounts will be disabled immediately upon termination of employment.

Authorisation to Manage

Access rights granted to users will be restricted to the minimum required in order for them to fulfil their roles. 

Privileged Users’ access rights must be adjusted appropriately and in a timely manner to reflect any changes in a user’s circumstances (e.g., when a member of staff changes their role, or leaves the University). Privileged Users must inform the Helpdesk immediately of any changes to their circumstances. 

Privileged account provision and permissions will be reviewed on a regular basis, not to exceed 12 months. 

Privileged accounts must only be used by system administrators when undertaking specific tasks which require special privileges. System administrators must use their user account at all other times. 

Privileged Accounts must only be used to install software applications that have been approved for use and are suitably licensed. Software must only be sourced from the approved locations - see https://warwick.ac.uk/services/its/servicessupport/software/list/  

Privileged Users will use their discretion when installing drivers, etc., but must ensure they are obtained from reputable sources. 

Compliance Monitoring

Signed acceptance would be a condition of obtaining privileged access.

Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on: 

• Timely changes to Privileged User Account profiles (changes, suspensions and closing of accounts) 
• Ensuring appropriate maintenance of ‘privilege’ access logs 

All policies linked to this policy will be monitored and compliance performance will be reported monthly by Information Asset Owners to the University Information Management Committee. 

A failure to comply with this policy will be deemed to be a disciplinary offence and may lead to proceedings being taken through the University Disciplinary Process.