BP.03.002 - Business Practice for Administrative Access to Workstations

Printable Version in PDF Format (Get Adobe Acrobat)

Table of Contents

• History
• Purpose
• Background
• Business Practice
  • Accountability
  • Applicability
  • Definition(s)
  • Text
• Exhibit(s)
  • Assessment History

History [top]

• Business Practice Number: BP.03.002
• Version: 2
• Drafted By: Carlos Miranda
• Approved By: James August
• Approval Date: 09/13/2010
• Latest Revision Date: 01/03/2024

Purpose [top]

To assure the confidentiality, integrity, quality, and availability of CSU Channel Islands information assets by limiting administrative access to workstations to those with a legitimate academic or business need for the access.

Background [top]

CSU Channel Islands ITS strives to provide a high-quality and feature-rich computing environment. ITS depends upon the standardization of the computing environment to deliver quality service and support to students, staff, and faculty. Internal policies, such as the Interim Policy on Responsible Use (IT.03.001), require ITS to implement processes to ensure the appropriate use of information systems. Additionally, the University is required by CSU system-wide policy to protect its information assets.

As computers and their associated operating systems grow in complexity, they also become more complicated to manage. Most operating systems and software developers have a two-tiered approach to computer access rights, with regular users and administrative users. For most operations, regular user privileges are sufficient to complete work-related tasks and to provide limited customization of the computing environment. By contrast, administrative users are granted full control over the system or service to which the administrative access applies and can make any and all modifications to the machine.

Business Practice [top]

Accountability [top]

Director, User Services

Applicability [top]

All CI users assigned a workstation.

Definition(s) [top]

1. Administrative Access:   Access levels above and beyond that of a regular, non-administrative user.
2. Administrative User:  A user with administrative access to a system or service.
3. Regular User:  A user without administrative access to a system or service.
4. Workstation: A University-issued or –owned computer. “Workstation” encompasses any computer issued to an individual, including desktops and laptops.

Text [top]

In order to ensure the confidentiality, integrity, and availability of the University’s information assets, ITS will implement the following procedures.

Administrative access to workstations — General

CSU Channel Islands ITS bases its support and service operations on the assumption that all faculty and staff are granted regular user access to their workstation(s), and strives to deliver a feature-rich and high-quality computing environment that allows regular users to perform their duties. The limitation of administrative access permits ITS to maintain the integrity of the campus computing environment and simplifies troubleshooting, centralized management, and upgrades to workstations. The CSU strongly discourages faculty and staff from having administrative access to their machines.

Per CSU Information Security policies (.pdf),  CSUCI must ensure that any changes to a computer must go through a request process and that local administrative rights must not be granted to the campus account used for activities such as web browsing. In addition, per the 2018 Information Security Audit, CSUCI was cited for permitting local administrative rights that could allow disabling of security controls and the installation of unauthorized software.

Per CSU policy and the audit, CSUCI must ensure that computers

• They are created from a current standard secure configuration checklist.
• Have up-to-date anti-virus software installed and maintained on the computers. Regular updates to virus definitions and software must be activated
• Are configured to allow automatic application of software updates through a patch management system
• All campus computers must have a campus-approved image. Reformatting a computer is not allowed.

Therefore, CSUCI users with administrative rights must not block or in any manner disable and/or revise any services on the workstation that may prevent malware scans and other routine maintenance procedures. 

Users who fail to demonstrate sufficient system administration skills are subject to having administrative access privileges suspended or revoked at the discretion of the AVP for Information Technology Services.

Users granted administrative access to their workstations are subject to the Administrative Access Rights Service Level Agreement and bear full responsibility for the administration of their workstations. Users who fail to demonstrate sufficient system administration skills are subject to having administrative access privileges suspended or revoked at the discretion of the AVP for Information Technology Services.  

Administrative access to workstations — Staff (including student employees)

CSU Channel Islands ITS restricts administrative access to staff member workstations to those who have a demonstrated business need for access to those workstations. 

For a staff member to gain administrative access to their workstation, that staff member must—

1. Have a demonstrated business need for administrative access to their workstation(s), (Installing software on university computers is not a business reason)
2. Obtain the verification of a demonstrable business need from their program or department manager,
3. Obtain the written approval of the request from their Division executive (see Exhibit 2),
4. Obtain the written approval of the AVP for Information Technology Services, and
5. Complete and agree to the Administrative Access Rights Service Level Agreement (see Exhibit 1).

Administrative access to workstations — Faculty

CSU Channel Islands ITS may provide faculty members with administrative access to faculty workstations with the approval of the Dean of the Faculty or designee. This access is provided to faculty to support the academic mission of the institution.

For a faculty member to gain administrative access to their workstation, that faculty member must—

1. Obtain the written approval of the Dean of the Faculty (see Exhibit 2),
2. Obtain the written approval of the AVP for Information Technology Services, and (see Exhibit 2),
3. Complete and agree to the Administrative Access Rights Service Level Agreement (see Exhibit 2)

Administrative access to workstations — Students

Student employees must comply with the processes for staff members above.

Providing administrative access to workstations to non-employee students is prohibited unless those workstations are physically isolated from the campus production network.

Exhibit(s) [top]

Exhibit 1 - Administrative Access Rights Workstations - Service Level Agreement - (Adobe Sign)

Exhibit 2 – Administrative Access to Workstations – Business Justification and Approval 

Assessment History [top]