NUMBER:                              880

SUBJECT:                             SYSTEM ADMINISTRATION RESPONSIBILITIES

AUTHORIZING BODY:        PRESIDENT'S CABINET

RESPONSIBLE OFFICE:   UNIVERSITY TECHNOLOGY SERVICES

DATE ISSUED:                     MAY 2003

LAST UPDATE:                     

RATIONALE:  The following policy is intended to protect the wide array of information technology resources that are supported by departmental systems administrators and faculty, as well as by University Technology Services staff.

POLICY:  

1.      POLICY SCOPE AND APPLICABILITY

a.      Applicability

This policy is applicable to all University students, faculty and staff and to others charged with the support of university information technology resources.  This policy refers to all University information resources whether individually controlled or shared, stand-alone or networked. It applies to all information technology resources owned, leased, operated, or contracted by the University. 

 b.     Locally Defined and External Conditions of Use

Individual units within the University may define "conditions of use" for information resources under their control as long as those conditions do not conflict with university appropriate use guidelines found in the Policy for Use of University Information Technology Resources.   Individual units are responsible for publicizing both the regulations they establish and their policies concerning the authorized and appropriate use of the equipment for which they are responsible.

 c.      Systems Administration

While the University is the legal "owner" or “operator” of all information technology resources purchased or leased with University funds, oversight of any particular system is delegated to the head of a specific subdivision of the University governance structure, such as a Dean, Department Chair, or Administrative Department head.  For University-owned or leased equipment, that person is the responsible administrator in the sense of the policies in this Guide memo. The responsible administrator may designate another person to manage the system. This designate is the "system administrator". The system administrator has additional responsibilities to the University as a whole for the system(s) under his/her oversight, regardless of the policies of his/her department or group, and the responsible administrator has the ultimate responsibility for the actions of the system administrator. 

 2. POLICIES

a.      Responsibilities to the University

The system administrator should use reasonable efforts:

·        To comply with the Policy for Use of University Information Technology Resources, with the technical direction and standards established by University Technology Services, and with other guidelines or standards defined by the unit.

·        To promulgate information about specific policies and procedures that govern access to and use of the system, and services provided to the users or explicitly not provided.

·        To take precautions against theft of or damage to the system components and data, and to report such events to appropriate areas when such events occur.

·        To treat information about, and information stored by, the system's users in an appropriate manner and to take precautions to protect the security of a system or network and the privacy, confidentiality and quality of information contained therein.

·        To cooperate with the system administrators of other information technology resources, whether within or without the University, to find and correct problems caused on another system by the use of the system under his/her control. 

b.     Copyrights and Licenses

Systems administrators must respect and enforce copyrights and software licenses.  All software protected by copyright must not be copied except as specifically stipulated by the owner of the copyright or otherwise permitted by copyright law. Protected software may not be copied into, from, or by any University facility or system, except pursuant to a valid license or as otherwise permitted by copyright law.  The number and distribution of copies must be handled in such a way that the number of simultaneous users in a department does not exceed the number of original copies purchased by that department, unless otherwise stipulated in the purchase contract.    

c.      Modification or Removal of Equipment

System administrators must not attempt to modify or remove computer equipment, software, or peripherals that are controlled or administered by others without proper authorization.   Information technology resources that are retired, disposed or transferred to another location must have all data and licenses removed prior to release of the equipment.  Equipment must be disposed using methods approved by Property Management. 

d.     Data backup services

System administrators must perform regular and complete backup services for the systems they administer, or they must work with University Technology Services administrators to add their system to a larger university backup structure.  System administrators will describe the data restore services, if any, offered to the users. A written document given to users or messages posted on the computer system itself shall be considered adequate notice. 

e.      Investigate possible misuses

A system administrator may be the first witness to possible misuse as described in the Policy of Use of University Information Technology Resources and as such the administrator must comply with the guidelines for handling misuse as set forth in that document.  Systems administrators will report security breaches according to procedures defined in the Policy for Use of University Information Technology Resources immediately upon discovering the breach.  Systems administrators will immediately investigate any possible breach reported to them by the University Technology Services.  System administrators should maintain appropriate system logs for a minimum of 48 hours and not more than 30 days if such logs enable the identification of a person.  Logs that do not identify a user or person may be kept as needed by a system administrator.   Be aware that any log is subject to subpeona or other legal process.   

f.        System integrity

Systems administrators are responsible for maintaining all aspects of system integrity, including obtaining releases and fixes that assure the currency of operating system upgrades, installation of patches, managing releases, installation of anti-virus software, updates of virus definitions, and the closure of services and ports that are not needed for the effective operation of the system.  Prompt renewal of vendor hardware and software agreements is required.  Absence of a vendor support contract does not mean that the University Technology Services is able to repair and restore systems without prior agreement or notice.  Systems administrators must make every effort to remain familiar with the changing security technology that relates to their system and continually analyze technical vulnerabilities and their resulting security implications. 

g.     Access account integrity

Systems administrators will manage access accounts on a timely basis, providing new accounts and removing old accounts in a prompt manner.  Accounts will be disabled and deleted based on the access rules for the environment and in compliance with all licensing.  Systems administrators will assure that good passwords are used and that passwords are changed frequently, within the limits of the system environment.  System administrators will ensure that accounts can be traced to an individual person (or a group of people in the case of group accounts) and that the accounts have system access that match the authorization of the user.  Stored authentication data (e.g., password files, encryption keys, certificates, personal identification numbers, access codes) must be appropriately protected with access controls, encryption, shadowing, etc. - e.g., password files must not be world-readable. 

h.     Network Consistency

Systems administrators will implement systems in compliance with the overall university structure for Internet Protocol (IP) addressing, domain services, wireless connectivity strategies, and directory services, as established by the University Technology Services. 

i.        Removal from the network

For the purpose of assuring all university network users a sound environment, and to meet the university expectations for network services, a system found to be in non-compliance with the Policy for Use of University Information Technology Resources may be removed from the university network.  When immediate disconnection is not necessary, system administrators will still be expected to take prompt action, to diagnose the problem, to stop any ongoing abuse, and to make whatever changes are needed to prevent reoccurrence. Generally this will involve adopting "best practices" for security. This process should preserve any evidence that might be needed to locate the source of the problem and take any legal or disciplinary action that might be appropriate.  System administrators may be asked to demonstrate compliance to this document and to the Policy for Use of University Information Technology Resources before network services are restored after a documented instance of non-compliance.

Return to Table of Contents