USE OF ADMINISTRATOR AND PRIVILEGED ACCESS
• Administrator and Privileged Access to Swansea University provided devices must only be used for official Swansea University business.
• Use of Administrator and Privileged Access should align with an individual’s role or job responsibilities.
• When an individual’s role or job responsibilities change, Administrator and Privileged Access should be appropriately updated or removed.
• Administrator and Privileged Access is be reviewed by the Cyber Advisory Team on a quarterly basis, with findings and recommendations submitted to the Chief Information Security Officer (CISO) for approval.
• In situations where it is unclear whether a particular action is within the scope of current job responsibilities or is appropriate, the situation should be discussed with the CISCO.
• Users with Administrative and Privileged Access may be required to perform some security activities such as software or operating system patching and updates, as well as monitoring for unusual activity.
INAPPROPRIATE USE OF ADMINISTRATOR AND PRIVILEGED ACCESS
In addition to those activities deemed inappropriate in the Digital Acceptable Use Policy the following constitute inappropriate uses of Administrator and Privileged Access to Swansea University computing resources:
• Installing unapproved software.
• Using the account for any activity where Administrator and Privileged Access Admin privileges are not needed.
• Removing or adding accounts to/from a device.
• Accessing data/systems the user is not permitted to access.
• Bypassing formal Swansea University computing controls.
• Bypassing UAC (user access controls) or any other formal Swansea University security controls.
• Bypassing formal account activation/suspension procedures.
• Bypassing formal account access change request procedures.
• Bypassing any other implemented Swansea University policies.
The following constitutes inappropriate use of Administrator and Privileged Access to Swansea University Devices under any circumstances, regardless of whether there is management approval:
• Using Administrative and Privileged Accounts to perform standard “everyday activities” such as web browsing and email access.
• Accessing non-public Information that is outside the scope of specific job responsibilities.
• Exposing or otherwise disclosing non-public Information to unauthorized persons.
• Using access for personal gain or to satisfy curiosity about an individual, system, practice, or other type of entity.
If an account or a machine with Administrator or Privileged Access is believed to be compromised, users with Administrator or Privileged Access should NOT perform any type of digital forensics and notify immediately for further investigation.
