- OU Administrative Policies and Procedures
- Information Technology
- 880 System Administration Responsibilities
- Academic
- Business and Finance
- 200 Authorized Signers
- 207 Business Expenditures
- 208 Business Meals and Hosting Expense
- 210 Cash Receipts
- 212 Payment Card Information Security Requirements
- 218 Data Entry Standards for Ellucian Banner Users
- 225 Funding Positions - Regulations and Procedures
- 240 Interdepartmental Charges (IDC)
- 257 Moving Expenses
- 262 Tax Classifications - Independent Contractor vs. Employee
- 266 Petty Cash
- 270 Sales and Use Tax on Rental Property
- 275 Special Checks
- Facilities and Property
- 300 Air Conditioning and Heating
- 310 Building Repairs, Alterations, Renovations and/or Modifications
- 315 Routine Maintenance, Capital Asset Management, and Miscellaneous Facilities Management Departmental Services
- 320 Campus Signs
- 350 Key Control
- 360 Property Management
- 365 Surplus Property Disposal
- 370 Use of Oakland University Facilities
- 380 Work Orders
- General/Governance
- 400 Alcoholic Beverages
- 402 Exceptions to Administrative Policies and Procedures
- 406 Conflict of Interest Policy
- 409 The Constitution of The Oakland University Senate
- 410 Contracting and Employment Appointment Authority
- 412 Detection of and Response to Identity Theft Red Flags
- 415 Distribution and Solicitation on Campus
- 423 Flags at Half-Staff
- 430 Freedom Of Information Act
- 435 Games of Chance Procedures
- 455 Death of Faculty, Staff and Retiree and Floral Tributes
- 460 Commemorative Gifts - Trees/Benches
- 465 Patent Policy And Procedures
- 470 Release of Student Educational Records
- 475 Smoke-Free Campus
- 480 University Archives
- 481 Records Retention and Disposal
- 482 University Closing
- 483 Parking During A Snow Emergency
- 486 University Posting Policy
- Communications and Marketing
- Gifts and Grants
- Health and Safety
- 605 Crisis Management Team
- 610 Driving Practices and Standards
- 615 Animals in University Facilities and on University Grounds
- 620 Environmental Health and Safety
- 625 Student Sexual Misconduct Policy
- 630 Youth Protection Policy
- 640 Oakland University Ordinances
- 642 Parking Regulations and Road Closure Procedures
- 648 Vehicles On Campus Sidewalks And Lawns
- 655 Radio Communications Systems
- 674 Surveillance and Monitoring Technology
- 675 Safety and Security Alarm Systems
- 676 Use of Unmanned Aircraft Systems and Drones
- Human Resources
- 704 Internal Promotions and Transfers
- 710 Administrative Guidelines Prohibiting Discrimination
- 711 Guidelines for Handling Discrimination Complaints
- 712 Administrative Guidelines Supporting the Equal Opportunity Policy
- 714 Workplace Bullying
- 718 Employment of High School Students and Minors
- 725 Filling Vacancies (Excluding Academic)
- 750 Oakland University Faculty Hiring Procedures
- 770 Temporary and Casual Employees
- Information Technology
- Purchasing
- Risk Management
- Students
- Travel
- University Services
- Policy Search
OU Administrative Policies
and Procedures
Police & Support Services, Room 13
201 Meadow Brook Road
Rochester ,
MI
48309-4482
(location map)

880 System Administration Responsibilities
SUBJECT: | SYSTEM ADMINISTRATION RESPONSIBILITIES |
NUMBER: | 880 |
AUTHORIZING BODY: | PRESIDENT'S CABINET |
RESPONSIBLE OFFICE: | UNIVERSITY TECHNOLOGY SERVICES |
DATE ISSUED: | MAY 2003 |
LAST UPDATE: | MARCH 2013 |
RATIONALE: The policy is intended to protect the wide array of information technology resources that are supported by departmental System Administrators and faculty, as well as by University Technology Services (UTS) staff. | |
POLICY: System Administration must be accomplished in a professional and timely way with a goal of protection of University assets and the broad array of information technology resources in use at the University. System Administrators have responsibilities to the University and should use reasonable efforts:
| |
SCOPE AND APPLICABILITY: This policy is applicable to all University students, faculty and staff and to others responsible for the maintenance, support and operation of University information technology resources as defined in OU AP&P #890 Use of University Information Technology Resources. This policy refers to all University information technology resources whether individually controlled or shared, stand-alone or networked. It applies to all information technology resources, including systems and servers, owned, leased, operated, or controlled by the University. Locally Defined and External Conditions of Use: Individual units within the University may define “conditions of use” for information technology resources under their control as long as those conditions do not conflict with appropriate University use guidelines found in the OU AP&P #890 Use of University Information Technology Resources or this policy. Individual units are responsible for publicizing both the regulations they establish and their policies concerning the authorized and appropriate use of the equipment for which they are responsible. | |
DEFINITIONS:
Access Accounts: Access Accounts are part of an access identity management scheme and typically provide an individual system user with an identity commonly called a username and a password to login and gain access to a system, network or application. An Access Account will be assigned specific privileges appropriate to the individual's job responsibilities and the purpose of the access. Identity Management Systems: Identity Management Systems are systems designed for the purpose of managing login credentials, such as login identities, passwords, and personal identification numbers. | |
PROCEDURES: a. Access Account integrity Whenever possible, Access Accounts are integrated with UTS managed Identity Management Systems such as the NetID system (LDAP) or Active Directory (ADMNET). Centralized authentication adheres to University policy allowing the Systems Administrator to focus on systems and applications management, user rights assignment, and user roles within the system. Security is enhanced by reducing the proliferation of login identities and passwords. b. Licenses, copyrights and contracts System Administrators must respect and enforce copyrights, software licenses and contracts. All software protected by copyright must not be copied or accessed except as specifically stipulated by the owner of the copyright or otherwise permitted by copyright law. Protected software may not be copied into, from, or by any University facility or system, except pursuant to a valid license or as otherwise permitted by copyright law. The number and distribution of copies must be handled in such a way that the number of simultaneous users in a department does not exceed the number of original copies purchased by that department, unless otherwise stipulated in the purchase contract. System Administrators are responsible for enforcing systems compliance with related contract, software, and purchasing policies. c. Data protection System Administrators will implement adequate protections of Confidential Data (defined in Policy #860 Information Security), including identification of appropriate storage locations, encryption processes, and removal of confidential data that are not maintained under retention guidelines. d. Data and system backup services System Administrators must perform regular and complete backup services for the systems they administer, or they must work with UTS administrators to add their systems to a larger University backup structure. System Administrators will describe the data restore services, if any, offered to the system users. A written document given to system users or messages posted on the computer system itself shall be considered an adequate backup description. e. Enforcement UTS will audit the security of systems that have a presence on the University network. UTS may scan or examine systems for compliance and may either disconnect or quarantine any non-compliant system from the University network until the system is brought into compliance. In accordance with this policy, violators may be denied access to University computing resources and may be subject to other penalties and disciplinary action including University disciplinary procedures appropriate to their University status per Policy #890 Use of University Information Technology Resources. f. Investigation of possible misuses and system logs A System Administrator must report any possible misuse of data and security breaches immediately upon discovery to University Technology Services and the Oakland University Police Department. The System Administrator may be the first witness to possible misuse. Systems Administrators will immediately investigate any possible breach reported to them by University Technology Services. g. Modification or removal of equipment Information technology resources that are retired, disposed, or transferred to another location must have all data and licenses removed, erased and made unreadable prior to release of the equipment. Software and information technology resources licensed to the University may not be transferred to a third party. Removal must meet standards for security established by University Technology Services. Equipment must be disposed using methods approved by Property Management. System Administrators must not attempt to modify or remove computer equipment, software, or peripherals that are controlled or administered by others without proper authorization. h. Network consistency System Administrators will implement systems in compliance with the overall University structure for Internet Protocol (IP) addressing, domain services, wireless connectivity strategies, firewall rules, and directory services, as established by University Technology Services. i. Special areas of compliance The University must comply with certain special regulations. In particular, Payment Card Industry (PCI) and Health Insurance Portability and Accountability Act (HIPAA and the related HiTech Act) have specific requirements. Other legal and regulatory areas may emerge from time to time requiring specific systems administration protocols. Systems that process, store or transmit credit card or other payment methods must meet Payment Card Industry compliance standards. Systems that process, store or transmit electronic protected health information (EPHI) must meet HIPAA and related HITECH compliance standards. UTS must be informed of all systems that process, store or transmit PCI or HIPAA data. Systems Administrators responsible for PCI or HIPAA compliant systems must attend annual training on compliance. All systems and applications used to process, transmit or store Cardholder Information or EPHI must have access controlled and permitted by uniquely assigned login identities and passwords. Whenever possible, administrative access will be LDAP-enabled. Access Accounts are only given access to the minimum resources needed to perform a function. Administrator accounts are required to change passwords every 90 days. Password policy must enforce use of strong passwords at least 8 characters in length. Passwords must contain both numeric and alphabetic values. A new password for an individual account cannot be the same as the prior four (4) passwords. Accounts are locked when multiple attempts to access fail. Repeated unsuccessful login attempts must lock an account after six (6) attempts. Lockout durations must be set to 30 minutes; administrative override after verification is permissible. Systems must have the latest security patches installed on a timely basis unless overruled by the System Administrator and then only with compensating controls in place. Server hardening implementations must be based on industry-recognized best practices. Systems are physically secure and access is restricted to authorized administrators. Software that maintains the integrity of files is used to detect improper alteration of either system files or log data. Access control logs contain successful and unsuccessful login attempts and access to logs. Centralized logs recording data access, successful login attempts, and unsuccessful login attempts are retained for three months online and one year offline. j. Remote access Remote access used for System Administration must be handled through secured, encrypted communications verified in advance by University Technology Services. k. Removal from the network For the purpose of assuring all University system users a sound environment, and to meet the University expectations for network services, a system found to be in non-compliance with University policies may be removed from the University network. When immediate disconnection is not necessary, System Administrators will still be expected to take prompt action, to diagnose the problem, to stop any ongoing abuse, and to make whatever changes are needed to prevent reoccurrence. This will involve adopting best practices for security. This process should preserve any evidence that might be needed to locate the source of the problem and take any legal or disciplinary action that might be appropriate. System Administrators may be asked to demonstrate compliance to this document and to University policies before network services are restored after a documented instance of non-compliance. l. System integrity System Administrators are responsible for installing and maintaining all aspects of system integrity, including obtaining releases and fixes to assure the currency of operating system upgrades, installing patches, managing releases, installing anti-virus software, updating virus definitions, changing all vendor default passwords, synchronizing system clocks, and closing services and ports that are not needed for the effective operation of the system. Prompt renewal of vendor hardware and software agreements is required. Absence of a vendor support contract does not mean that University Technology Services is able to repair and restore systems without prior agreement or notice. System Administrators must make every effort to remain familiar with the changing security technology that relates to their system and continually analyze technical vulnerabilities and their resulting security implications. m. Third party access Third parties with access to University information technology resources must be contractually obligated to comply with University security policies and practices. n. Vendor accounts and passwords System Administrators must verify that vendor default passwords are disabled or changed immediately upon installation and for the duration of the implementation. All vendor passwords must be encrypted. Accounts needed by vendors are enabled only for the time needed, and disabled upon completion of work. | |
RELATED POLICIES AND FORMS:
OU AP&P #212 Bankcard Information Security Requirements
OU AP&P #360 Property Management
OU AP&P # 830 Information Technology OU AP&P # 870 Software Regulations | |
APPENDIX: | |