I. Rationale

This Standard defines the University of Notre Dame's requirements for acceptable privileged credential configuration, use, and maintenance. Because of their greater access to networks, resources, and data than general user accounts, privileged accounts represent a greater risk to the University. The purpose of this standard is to reduce the overall risks associated with privileged accounts by providing guidelines for privileged account holders and maintainers.

II. Scope

This standard applies to all service or system administrator accounts used with University information systems. These accounts may be “administrator” or “root” accounts with full access rights, or accounts that only possess some additional rights. Privileged accounts have the ability to fundamentally change the functionality or security of a system or service or create new accounts with those abilities. Excluded from this policy would be user accounts that work within the confines and controls of a system or service.

Privileged credentials include those verified with passwords, keys, or other means of authentication. Privileged credentials may be local, network (domain), or shared accounts.

This standard applies to all services hosted in Notre Dame data centers, off-site locations, or cloud infrastructure and platform services. This standard should also be used as a guide for best practices when evaluating vendor provided services.

Services that do not meet the standard’s technical requirements should be configured with “compensating” controls that reduce the risk at least to the level required by this standard. The Office of Information Technologies Department of Information Security should be informed of those services that cannot be configured to meet the standard and require compensating controls. Compensating controls should be documented in the configuration records for the service.

III. Standard

1. Ownership:
   
   Service owner: The primary point of contact for a service and who has responsibility for decision-making or escalation of decisions. Where applicable, service owners include product managers.
   1. Service owners are responsible for the assignment and usage of privileged accounts associated with their service. In practice, service administrators may act as stewards and take on the day-to-day responsibilities of privileged account assignment and management.
   2. Service owners may at any time request, revoke, or modify privileged accounts.
2. Types:
   1. Individual: Individual privileged accounts are issued to employees, affiliates, or entities under contract with the University.
   2. Shared: Shared privileged accounts are issued to groups of employees, affiliates, or entities under contract with the University. Shared accounts should only be issued when technology requirements do not allow for individual accounts, or where individual accounts would pose an undue administrative burden, for example., accounts for a contractor with a rotating administrative staff. Otherwise, the usage of shared privileged accounts should be discouraged because of the difficulty of attributing individual actions through the accounting and auditing of shared accounts.
   3. Service: Privileged service accounts are issued to allow automated processes that require elevated access to run. Service accounts may never be used interactively by administrators and must be sufficiently protected against exposure through access controls, encryption, or other controls. Service accounts are exempt from password rotation requirements.
   4. Temporary: Temporary privileged accounts may be issued to individuals not employed or affiliated with the University for troubleshooting or emergency purposes with permission of the service owner. Temporary accounts must be disabled as soon as they are no longer necessary. All temporary access must be logged per the logging requirements specified in this standard.
3. Notre Dame NetIDs may not be the sole identifier of a privileged account unless the account is used in conjunction with multi-factor authentication (MFA). NetIDs may comprise part of the privileged account identifier in non-MFA configurations, E.G., NetID.admin.
4. Notre Dame passwords and keys must never be used on systems or services not associated with Notre Dame services.
5. Privileged account password length must be no fewer than 16 characters.  Whenever technically possible, the account must use MFA. All other character composition requirements of privileged account passwords are the same as those specified in Notre Dame Strong Password Standard.
6. Credential Rotation:
   1. Privileged account passwords and access keys must be rotated (changed) at a minimum of every 90 days unless the account is multi-factor enabled. Privileged service accounts are exempt from this requirement.
   2. Exposed passwords or keys, for any amount of time, must be immediately changed.
   3. Service or shared account passwords, access keys and key pairs must be changed immediately after an employee who has access or was exposed to the account leaves the University.
7. Privileged accounts should be assigned only the minimum privileges necessary to perform the duties required. For systems that do not support fine-grained access control of privileged access, all accounts must be considered privileged accounts.
8. Users should authenticate with privileged accounts only for activities that require privileged access and only for the time necessary to perform the required activities
9. Privileged accounts may never be shared.
10. Root, super administrator, or any account that would be considered a “master” service account, should be escrowed in an approved service to be available for emergency access from authorized personnel.
11. Privileged account passwords must be stored in a department approved password storage service. Passwords may not be stored in unapproved systems or unencrypted.
12. When a Privileged account-holder leaves the University, their privileged access must be disabled immediately upon their departure. When a Privileged account-holder no longer requires privileged access, that access must be disabled immediately.
13. Privileged account activity must be logged. Logs must be retained for a minimum of 1 year.
14. Service owners should review privileged accounts for mis-assigned, unused, or unauthorized accounts at least every 90 days. Accounts identified as such should be disabled or removed.