Enhanced PC User Privilege Procedure FAQ
Background
The university reserves the right to determine the level of user access granted to university-owned desktops and laptops. IUP aligns its practices with industry best practices as articulated in various standards, such as the 20 Critical Security Controls from the SANS Institute. As per the Controls, it is vital to "Minimize administrative privileges and only use administrative accounts when they are required."
As such, the university generally limits such access to information technology (IT) staff specifically trained to perform these duties in a manner that helps protect sensitive university assets while supporting vital academic freedom principles (instruction, research, scholarly activity, etc.) without an undue burden.
However, situations exist in which the user assigned a university-owned desktop or laptop also requires enhanced privileges. The following process is for users to request enhanced privileges. Situations involving shared desktops or laptops, such as computer labs, are beyond the scope of this process.
Activation, Compliance, and Revocation
Enterprise Systems will retain authority to intervene in system and patch management, which includes the base software inventory.
The university will not accept responsibility for patching software the user installed locally or for license compliance related to such software. If the request for enhanced privileges is approved, please keep in mind that the user will be responsible for updating any additional software installed on this PC apart from the base PC install. If vulnerabilities are found with such software, the user will be responsible for bringing the computer into compliance.
Privileges will be revoked if the PC is compromised and investigation leads to any additional software being the cause.
IT Services retains the responsibility and authority for directing security-related and inventory scans (sensitive data, unpatched software, unsecured system configurations, lack of updated/operating antivirus software, etc.) as well as performing event logging analysis. Desktop or laptop network connectivity can be temporarily suspended until the user can bring the computer into compliance in keeping with past practice.
The respective vice president or their designee can direct Enterprise Systems to revoke the enhanced privileges as they deem appropriate. The user will be given a written explanation for the revocation.
By submitting this request via ihelp, you agree to comply with the policies established on this page. This action will require you to log in to ihelp.
Process
- A user receiving either a new or rebuilt university-owned desktop or laptop will be asked if they need enhanced privileges by the assigned IT Services staff person. If the user’s needs suggest enhanced privilege is required, the IT staff person will work with the user to create a request for the privilege, including a very brief explanation (two to three sentences) of the need.
- To submit the request, submit an ihelp ticket for your request. Include the PC number, the reason for the request, and whether this is Temporary or Permanent access.
- This ihelp ticket will be routed to the Enterprise Systems group to review your request.
- Enterprise Systems will review the request and engage other IT Services staff members as appropriate to determine the best alternative that balances user needs with the university’s interests in following account management best practices. These options include: a.) permanent enhanced privilege, b.) temporary enhanced privilege (a short window for the user to complete specific tasks), or c.) standard privilege.
- Enterprise Systems will inform the user of the resolution, and the assigned IT Services staff person will set up the desktop or laptop accordingly. In cases where the user does not agree with the resolution, the respective vice president or their designee will review and determine the appropriate action. A user can work with their assigned IT Services staff person if their needs for enhanced privilege then change in the future.
- If you have any questions, you will be able to update your ihelp ticket.