The purpose of this policy is to ensure that for every university computer application, there is an Application Administrator who is adequately controlling the user access and protecting the system data. This policy is applicable to every university computer application, whether it resides on-premise, is hosted at another site or resides in the cloud. The applications covered by this policy include any computer system for which the university controls the user access.
There will be at least one designated Application Administrator for each university application, with a designated backup in case the primary is unavailable. The WITS Department will maintain a registry of Application Administrators and assign a WITS Liaison to assist each non-WITS Application Administrator with the implementation of this policy.
Account and Access Management
Application Administrators must perform the following responsibilities to control access to the application:
- Ensure that all users have just enough, and no more, access and authority necessary to perform their job responsibilities.
- Immediately revoke access for terminated or transferred users or for any user whose access is no longer required.
- Work with WITS to provide single sign-on if the system is used by more than 10 users in the Willamette community.
- Ensure that any passwords locally stored in the application comply with the password policy in the Information Security Policy.
- Where possible use a password claim process to ensure that passwords set by Application Administrators are changed by the user immediately upon the user’s next login, with an expiration of how long they are valid.
- When resetting locally stored user passwords, take reasonable steps to verify the identity of the person requesting the password change, and ensure that passwords are properly handled to maintain confidentiality.
- Ensure that guest accounts have Director level approval and automatically expire at the end of the agreed upon access period, if possible. Extensions must be requested by the university employee sponsoring the guest.
- Ensure that extension authorizations for former students or employees have Director level approval and expire at the end of the agreed upon access period, automatically, if possible.
- Ensure that vendor accounts used for remote maintenance are only enabled during the time that access is needed and they are monitored while being used.
- Ensure that all application access, and especially access to any databases containing confidential and private information, is authenticated and audited (e.g., users, Application Administrators, etc.). Direct SQL queries to the database must be limited to database administrators and authorized users.
- When access to audit logs are accessible by an application administrator, enable audit logs to record user and administrative activities. Store audit logs securely and retain them for six months with at least the most recent month available for analysis.
- Review audit logs periodically, at least every month, and ensure that all system activity is legitimate. For non-WITS Application Administrators, report any suspicious activity to the WITS Liaison.
- Ensure access to management consoles is limited to authorized personnel.
- Store all superuser and integration user credentials in a password vault that is centrally maintained by WITS. These credentials will be used as necessary to ensure business continuity.
- Use superuser credentials only to administer access to the application, not to perform other work in the application.
WITS will oversee an annual audit of application access authorizations to confirm that access privileges are appropriate. The audit will consist of validating access rights for sample user populations and confirming that accounts are closed for any inactive users.
Data Retention, Backup and Disposal
For applications where the university has the ability to control the storage, backup and restoration of data, Application Administrators must perform the following responsibilities to protect application data:
- Ensure that all confidential and private data, regardless of storage location, is retained only as long as required for legal, regulatory and business requirements. Determine the regulatory retention length by consulting with the Processing Archivist and Records Manager.
- Ensure that backups occur at a frequency that makes certain the university will not lose mission-critical data or software, and ensure that restorations of backed up material occur within a reasonable time period. For applications provided as a service, the service provider contracts must stipulate backup and restoration processes that adhere to this policy.
Ensure that all confidential and private data, when no longer needed for legal, regulatory or business requirements is removed from the application using a method approved by the Director of Infrastructure Services.
For applications where the university has the ability to control upgrades and receive disruption of service notices, Application Administrators must perform the following responsibilities to facilitate system usage and data security:
- Regularly review all notifications from the vendor such as upgrade release notes, security notices, and outage notifications.
- Immediately comply with all instructions intended to mitigate security issues. Notify the Director of Infrastructure Services of any security vulnerabilities that are not immediately mitigated.
- Coordinate application upgrades in a timely manner.
- Notify application users of upgrades and outages.
For applications where the data is used by other systems or by users other than Administrators, Application Administrators must perform the following responsibilities to facilitate data access:
- Ensure that other systems and users that rely on the application’s data receive the information they need, even after the application is modified or upgraded. Maintain a data dictionary of any fields that are used by other systems and users and proactively coordinate any changes with other units, before any changes are made.
- Maintain integrity of the data, including resolving duplicate data.
Glossary of Terms
Application is a set of computer programs with a user interface, enabling people to use the computer as a tool to accomplish specific tasks.
Audit Log is a chronological list of actions taken within an application.
Data Dictionary is a set of information describing the contents and format of a set of data elements and the relationship between them.
Integration User Credentials are the user id’s and passwords that have privileged access to setup and configure integrations.
Password Vault is a computer application for the secure storage and sharing of multiple sets of credentials.
Single Sign-on is the configuration that allows a user to sign on once and access multiple applications.
Superuser Credentials are the user id and password for the account that by default has access to all commands and data in the application. This account is typically used to set up and configure the application.