Tuesday, July 10, 2007

Information Security Policy 101 – Administrator and Special Access Policy

And now I present to you the Administrative and Special Access Policy! OK, I admit it isn’t all that exciting, but it is a policy that provides value in many organizations. In many instances users of administrative accounts have the ability to do just about anything in a corporate server and/or network environment. Administrators can often create accounts, change passwords, change access rights, delete audit logs, etc. Without proper control, the risk of inadvertent errors and malicious abuse of rights is unacceptable.

All information security controls must have their roots in policy and those meant to limit the risk inherent with the use administrative access accounts is no different.

NOTE: This has been stated before, but I state it again in order to drive the point home. Supporting standards, guidelines, and/or procedures will need to be created in support the policy after the policy has been formally approved and adopted by management.

General Policy Format

All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

The purpose of the %ORGANIZATION% Administrative and Special Access Policy is to establish the rules for the creation, use, monitoring, control and removal of accounts with special access privilege.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Administrative and Special Access Policy applies to IT administrative personnel or persons authorized and responsible for information resource management.

The %ORGANIZATION% Administrative and Special Access Policy applies equally to all individuals that have, or may require, special access privilege to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Administrative and Special Access Policy
The Administrative and Special Access Policy is written to communicate the general rules and guidance to those persons in an organization with authorized access to administrative accounts. The policy also applies to users of accounts that have access rights that exceed those of "general" user accounts.

As with all information security policies, the Administrative and Special Access Policy should be general in nature and not detail specific settings requirements. The Administrative and Special Access Policy should adequately address all areas of administrative access that reflect expected and acceptable use.


- All users of Administrative and Special access accounts must have account management instructions, documentation, and authorization

- Each individual that uses Administrative and Special access accounts must refrain from abuse of privilege and must only perform the tasks required to complete his/her job function

Remember that a policy is a series of statements that accurately reflect management’s expectations with respect to information security in the organization. It is easy to forget about those users in an organization that have “special” rights and privileges. This is a mistake. Users with these rights and privileges, if not properly informed and trained can pose one of the most significant threats to the confidentiality, integrity and/or availability of organizational information.


TIP: The use of administrative and special access accounts needs to be strictly monitored and reviewed. Include regular monitoring and auditing in supporting procedures.

Next in the series: “Information Security Policy 101 – Backup Policy”

Previous: Information Security Policy 101 – Account Management Policy

No comments: