it-03 system administrator policy

DOCUMENT NO:REVISION NO:EFFECTIVE DATE:PAGE NO:PREPARED BY:APPROVED BY:

IT-03 01-August-2009 1 of 3 Hong Chan Chuen Lim Hock Chee

SYSTEM ADMINISTRATOR POLICY

1.0 PURPOSE:

1.1 To establish and maintain a policy on use of System Administrator type access to company information systems.

2.0 SCOPE:

2.1 This document applies to all CMM IT employees and all CMM information systems, excluding personal computers.

3.0 REFERENCES:

3.1 IT-02 (IT Password Standards)

4.0 DEFINITIONS:

4.1 IT – Information Technology

5.0 EXHIBITS:

5.1 None

6.0 RESPONSIBILITIES:

6.1 Corporate IT Group- Ensuring that IT develops and implements appropriate policies, practices and

procedures on a company wide basis.- Ensuring that regional IT management implements and ensures compliance to this

policy and all related practices and procedures.- Ensuring that the policy, practices and procedures are maintained.- Ensuring all staff in their area of responsibility is familiar with and complies with

all policies practices and procedures.- Responsible for approving all System Administration type access- Review System Administrator access rights to ensure compliance with this policy- Ensure that CMM sites without full-time IT staff are provided with appropriate

training and procedure.

6.2 IT Employees- Responsible for complying with this policy.

7.0 PROCEDURE:2-MAY-23



7.1 It is recognized that certain authorized IT users require System Administrator access to perform job functions such as Operating System updates, patches, maintenance routines, security setups, etc.

7.2 It is recognized that certain authorized IT users will have the ability (e.g. System Administrators) to access data contained in a system without being an authorized user of the system itself. Audit logging must be enabled to monitor System Admin type access usage.

7.3 Administrator and other highly privileged accounts (e.g. ‘root’) will be strictly monitored, will only be granted in accordance with existing policies/procedures, and only used when necessary in accordance with documented procedures.

7.4 System Administrator access rights to any CMM electronic system is dependent on your acceptance of this policy.

7.5 Violation of any provisions of this policy as described will result in disciplinary action up to and including termination.

8.0 PRACTICE:

8.1 Acceptable Usage and Privacy8.1.1 System Administrators must only be given privileges they need to accomplish

their task and no more.

8.1.2 Appropriate training and/or related experience will be required prior to any staff being granted System Administrator access.

8.1.3 Administrator and all other highly privileged accounts (e.g. ‘root’) will only be granted in accordance with existing policies/procedures, and only used when necessary in accordance with documented procedures. System Administrators must not modify any System/Application/Networks/ etc. logs.

8.2 System Authentication and Passwords8.2.1 Designated System Administrators will be assigned unique usernames with

‘group’ authority assignments granting access to ‘root’ type access. The actual vendor shipped Systems/Application super user account will only be used when required by the System/Application.

8.2.2 Vendor Shipped System/Application Super User accounts will have their passwords changed on a regular scheduled basis, including whenever anyone in IT with access to the passwords leaves the department. Any password files maintained by IT containing these Super User accounts and passwords must be restricted to IT users with Administrator rights.

8.2.3 Any future Systems or Applications brought into the CMM domain must meet CMM security policies and conform to generally accepted industry best security

2-MAY-23



practices, i.e. Administrator type accounts and passwords will not be stored in clear text files.

8.2.4 Granting of Administrator type rights must be approved by the CIO. A database of all security requests will be maintained for an audit trail and the data owner informed.

8.3 Monitoring8.3.1 The number of System Administrator type accounts will be strictly limited to

ensure proper segregation of duties, an appropriate level of security and resources required to cover the workload. This applies to both the Infrastructure and Application teams.

8.3.2 A review of all System Administration accounts will be conducted annually, at a minimum, to ensure that the number of people with such access is reasonable and that only those who require have this access. The results of this review must be approved by the CIO.

9.0 REVISION HISTORY:

Rev # Sec./PageNo Name Change

Date Changes

0 - Hong Chan Chuen 6-July-09 New

2-MAY-23

it-03 system administrator policy

Documents