Responsible Office: Office of Cybersecurity	Last Review: 03/01/2025 Next Review: 03/01/2027
Contact: Chris Madeksho	Phone: 901.448.1579 Email: mmadeksh@uthsc.edu

Purpose

To define the roles and expectations of Privileged Accounts affording elevated user rights on systems and applications. Specifically, these rights can bypass, modify, or disable technical or operational security controls. Examples may include the ability to install software, install or modify system processes, create or modify system configurations, create or modify system access controls, and view or control the screen of the user through remote access technologies to assist users.

Scope

This practice applies to all individuals who have been granted access to Privileged Accounts with elevated access to any University of Tennessee Health Science Center (UTHSC) system or application where the account has been afforded rights beyond that of a typical user.

Definitions

Privileged Account – An account which, by virtue of function, and /or security access, has been granted special privileges within the computer system, which are significantly greater than those available to the majority of users, including but limited to, local administrative accounts, privileged user accounts, domain administrative accounts, emergency accounts, service accounts, and application accounts.

Security Categorization – The process of determining the security category for data or an information system. Security categorization methodologies are described in Federal Information Processing Standard (FIPS 199) and National Institute for Standards and Technology (NIST) SP 800-60. Security categorization helps identify the appropriate level of controls to be applied to the system or data.

System or Application Owner/Custodian – Person or organization having responsibility for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an information system

Responsibilities

System/Application Owner: authorize, review and reverify privileged access accounts, creating separate credentials for that account, separate from a normal user account.

System/Application Custodian: create separate, unique credentials for the privileged account.

Individual with privileged access: comply with all guidance in this practice.

Chief Information Security Officer (CISO): governance, oversight, and monitoring of the Privileged Account Management process

Practice

1. Privileged access enables an individual to take actions that may affect computing systems, network communication, or the accounts, files, data, or processes of other users. Privileged access is typically granted to system administrators, network administrators, staff performing computing account administration, or other such employees whose job duties require special privileges over a computing system or network. Privileged access might provide such users with technical access capabilities that are beyond their functional access authority such as upgrade their functional access authority.
2. Individuals with privileged access must not abuse their access capability and must strictly respect their functional access authority limits, respect the rights of the system users, respect the integrity of the systems and related physical resources, and comply with any relevant laws or regulations. Individuals also are obligated to familiarize themselves with any procedures, business practices, and operational guidelines about the activities of their local department. In particular, the privacy of information holds important implications for computer system administration at UTHSC. Individuals with privileged access must comply with applicable policies, laws, regulations, precedents, and procedures while pursuing appropriate actions to provide high-quality, timely, reliable computing services.
3. The CISO will maintain the responsibilities of governance, oversight, and monitoring of the Privileged Account Management process
4. Requirements:
   1. Privileged access shall only be granted to authorized individuals.
   2. Individuals may request privileged access from the System or Application Owner. Each Owner must establish a standard process for review, approval, and provisioning of administrative access to systems and applications. This process must include the proper segregation of duties and provide the CISO with the ability to monitor compliance with the established information security policies and processes.
   3. Every privileged account must have its own unique password when provisioned as a dedicated administrative account. Passwords should be configured using the guidance from IT0506-HSC-A.01-Password Management and Complexity.
   4. Administrators may only use their privileged account to perform administrative functions like installation and maintenance tasks unless technically constrained by a system or application.
   5. Administrators may not use their privileged access for day-to-day activities such as web browsing or reading email, as well as unauthorized viewing, modification, copying, or destruction of system or user data.
   6. Users with privileged access have a responsibility to protect the confidentiality of any information they encounter while performing their duties. Never disclose confidential or sensitive information about the UTHSC or the University of Tennessee and its students, staff, faculty, or alumni. Types of data with a level 2 categorization include but are not limited to Protected Health Information (PHI), Personal Identifiable Information (PII), FERPA-protected student information, Social Security numbers, credit card numbers, and medical records. Comply with the guidance outlined in IT0005-HSC-A-Data & System Categorization.
   7. Users with privileged access are responsible for complying with all applicable laws, regulations, policies, and procedures.
   8. As a representative of the UTHSC and the University of Tennessee, it is imperative to maintain the same standards of conduct expected of all employees as per UTSA policy HR0580-Code of Conduct.
   9. Users with privileged access to business-critical systems or who can assign or revoke rights, roles, and privileges in said systems must have a background check performed every four (4) years.
5. Non-Compliance and Sanctions
   1. Failure to comply with these standards may result in a loss of access or other disciplinary actions, up to and including termination.

Policy History

Version #	Effective Date
1	09/30/2017
3	09/17/2020
4	05/12/2022
5	10/23/2023
6	03/01/2025 – new naming convention

References

1. IT0506-Information Technology Account and Credential Management
2. IT0005-HSC-A-Data & System Categorization
3. IT0311-HSC-A-Access Controls
4. IT0506-HSC-A-Authentication
5. IT0506-HSC-A.01-Password Management and Complexity
6. UTSA policy HR0580-Code of Conduct