Guide 13 - Access controls / Superusers guidance

Scope

This guidance applies to any person that is granted access to College networks, accounts, information systems and all types of data. 

By assigning consistent controls according to set parameters it will help 

• provide assurance to systems / data owners that they are being used correctly.
• ensure consistent access controls are in place that balance the business needs of the College with embedding adequate security controls
• ensure the right information is accessible to the right people at the right time, and that access to information is appropriately managed.
• Implement clear processes whereby third parties are able to handle and have access to College information including consultants, contractors, visitors and volunteers etc.
    

Roles and Responsibilities

Information Asset Owners (IAO) – IAOs are responsible for enabling access to systems based upon the needs of the College and ensuring access is in line with College Guidance and the wider Information Governance Framework. This can be done directly or via a team member / third party who has delegated responsibility. For more information, see the Information Governance Policy Framework. 

Super users – are a user with special privileges in excess to standard Account Holders / System Users, these may include the ability to; 

• full read / write / execute privileges;
• creating or installing files or software;
• manage updates;
• modifying files and system settings;
• deleting users and the data held
   

The allocation of privileged rights will be limited in number, restricted to ensure a review prior to allocation and not set by default. The process for assigning an individual as a super user will be managed and documented by the relevant IAO. Such access will not be afforded to users for standard activities, cannot be provided to entire teams and will be reviewed annually to ensure such access remains a requirement. 

Account holders / System users – sometimes referred to as ‘least privilege accounts’ or ‘Standard users’, these accounts have the minimum access required and will represent the majority of system users. In accordance with their job role they will gain access to systems and are responsible for acting in accordance the College Information Governance Framework. 

Good practice

• Access should always be set at least privilege by default. This can mean elevating privileges temporarily when needed, but without granting full superuser rights to the user account.
• Limit Superuser membership to very few people to maintain security and minimise risk of breaches occurring.
  Superuser credentials must not be shared and can be assigned to individuals only.
• Requests for increased levels of access should be identified by Heads of Department based on job requirements and raised to the relevant IAO for review.
• Consideration for ‘Joiners, Movers and Leaders’ must be undertaken to avoid access being retained once an individual is no longer in the role in which the original access level was awarded.
• For Super user accounts / administrative access roles, use of MFA[1] must be implemented and additional protections considered to prevent misuse / increased risk. Such considerations include implementation of separate user accounts in order to separate Super user privileges from the individuals day to day activities and applying privileges on a case by case basis whereby Superusers gain only the privileges needed. This will limit exposure through malicious actor events, such as spear phishing, by minimising the likely result if such an event occurred.
• Review user accounts and systems for unnecessary privileges on an annual basis, and ensure rights are revoked when no longer required.
• Ensure all systems enable, where possible, audit functions whereby access / use / movement of the data held can be tracked.
• Ensure, where possible, authentication and authorisation events are logged for review in case of suspicious behaviours or events, such as multiple failed login attempts.
   

Relevant documents of note

Information Governance Framework 

Conditions of Use of IT Resources 

Unified Access 

Information Security Policy v.7.0 

Data Protection Policy 

[1] Multi-factor authentication | Administration and support services | Imperial College London