Summary

Due to the higher level of potential risk and exposure, exceptions to the Administrative Access Rights policy are serious requests that must be documented and maintained to meet the requirements of Information Security as documented by the University System of Georgia in their policy guide, the IT Handbook. Franklin OIT has adopted the following process for handling exception requests.

Exception Process

The individual requesting administrative access must first do the following:

1. Provide Franklin OIT the opportunity to address the needs outlined as requiring administrative access.

   1. Franklin OIT may use a combination of tools, temporary administrative access, services, and support methods to try addressing the needed functionality.

   2. If the concerns cannot be adequately addressed, and the work need is validated, the process may proceed with an exception request which will be valid for a single named individual, on a single computer for the duration of the task or the remaining lifecycle of the computer system.

2. Exception requests will be validated for requirement by practical testing, leveraging existing knowledge, and available documentation to confirm the need for elevated access. If the need can not be validated or an alternative method is able to be used, that process may be recommended instead of administrative access.

3. Exceptions may take the following forms:

   1. Temporary Exception - lasting only for the designated purpose

   2. Full / Dedicated Exception account

4. Franklin OIT will provide an online form to be filled out for the exception.

   1. When submitting an exception request, the requestor must provide as much detail as possible.

   2. For example:

      1. Operating System and Software or components should be named

         1. (E.g. Windows 11 with Python development environment requiring the install and removal of modules such as..)

      2. Job duties requiring the necessary exception

         1. (E.g. My instruction duties in topic require the ability to use the listed software and tools.)

      3. Provide an anticipated duration of the need. If it is a short-term need, a temporary exception may be used and the requested number of weeks or months should be included.

         1. By default, we use 2 weeks for temporary exceptions.

         2. Exceptions may be reviewed or renewed annually or within alignment of the supported system's lifecycle.

5. Requests will be reviewed and renewed on a regular basis, typically in alignment with the remaining lifecycle of the computer.

Granted Exceptions Terms

• When an exception is granted, the following stipulations apply:

  • Agree to abide by and apply all IT policies and standards:

    • Franklin College OIT

    • UGA Policies and Regulations

    • USG Board of Regents' Information Technology Handbook

• Agree that the device will meet at least the following minimum standards required for all devices associated with Franklin College:

  • Where applicable, devices will be bound to UGA's Active Directory to maintain compliance with university user account standards.

  • Franklin OIT will maintain administrative access to the device at all times and accounts should not be removed or tampered with.

  • Franklin OIT will maintain tools for patch and policy compliance auditing on the device at all times. These tools may include Ivanti, JAMF, and Managed Software portals which must remain installed and enabled.

  • Approved Antivirus, Anti-malware, and similar security tools must remain installed and enabled.

    • If these tools interfere with the software being used or the work duty needed from the device, consult with Franklin OIT for alternative protections or a separate exception.

  • All user credentials must adhere to campus policies for password complexity and age.

  • Elevated access may not be used to create new local user accounts or provide access to other individuals.

  • All system security must still comply with campus Information Security policies, standards, and guidelines.

  • Administrative access will only be used as-needed and not continually.

  • System may not be allowed to store or process sensitive or restricted data or be eligible for compliance with 3rd party funding agency security requirements and stipulations.

• Acceptance of risks:

  • Acknowledge that my unit head and I are assuming all risks and responsibilities associated with the administrative access that I am requesting and that the risks and responsibilities are no longer the responsibility of Franklin OIT or the Dean's Office.

  • In the event of a security incident, it is understood that my supervisor and I assume all risks, responsibilities, and costs associated with data loss, data recovery, and damage to reputation associated with the security incident.

  • Acknowledge that receiving an exception will result in a lower service level from Franklin OIT since I will be handling all risks and responsibilities associated with administrative rights on computers that I administer.

  • Franklin OIT will assign a medium priority to my requests including requests for incident mitigation, and Franklin OIT will respond during regular business hours as resources allow.

Document Review and Changelog

This policy will be reviewed on an annual basis.