Privileged Access Management Standard
This standard applies to all users, whether physically located on University property or elsewhere, and all University systems and applications.
To define the standards of privileged access account use and management at the University.
1. Privileged access will be granted to the user of the account and that person will be designated as the owner of the account.
2. The owner is accountable for all actions taken under that account.
3. Documented processes for granting, reviewing and revoking privileged accounts must be maintained.
4. The business owner of the system being accessed is the process owner.
5. Privileged access accounts must be approved prior to being configured.
6. Approval and configuration of accounts must follow segregation of duties principles.
7. All user access to services, data, and functionality must be based on the principle of least privilege.
8. Privileged access may be used only for the duration of time necessary to perform administrative duties.
9. At all other times, an individually assigned standard user access account will be used.
10. Privileged access for everyday use are not permitted.
11. Privileged access accounts must be logged off completely when not in use.
12. Privileged access accounts must adhere to University password policies and guidelines, and be configured for multi-factor authentication.
13. When a user is no longer entitled to privileged account access, such access must be removed immediately.
14. Monitoring and auditing of privileged accounts will occur on a regular basis.
15. Monitoring and auditing must follow segregation of duties principles.
16. If it is detected that an account has been accessed or used in violation of University policies, then that account may be disabled without warning.
17. Access control to systems will vary according to the business rules established by the system owners, this must include, where appropriate, rules for segregation of duties.
The following definitions apply to this document:
Access control are processes instituted to grant or deny specific access to and requests for obtaining and using information. The purpose of access control is to prevent unauthorised access to information, processes, resources, and systems. Access control enforces decisions to restrict or to provide access, rather than making the decision.
Principle of least privilege is the level of access given to a user which limits that user to only the resources absolutely essential for completion of assigned duties or functions, and nothing more.
Privileged access (also referred to as administrator or admin access) allows an individual full permissions to the resources within their authority.
Segregation of duties is the concept of having more than one person required to complete a task from end to end. The objective is to prevent fraud and errors by disseminating tasks and associated privileges for a specific business process among multiple users.
Users refers to anyone with an identity record at the University. This includes staff, contractors, academic visitors, applicants, students, alumni, and UniServices staff members.
University means the University of Auckland and includes all subsidiaries.
Key relevant documents
Include the following:
Document management and control
Owner: Chief Digital Officer (CDO)
Content manager: Chief Information Security Officer
Approved by: Vice-Chancellor
Date approved: 21 November 2019
Review date: 21 November 2022