Email Template for Administrative Access Stipulations

Disclaimer

The purpose of this document is to support compliance with the UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices, section 2.7 Limit Administrative Account Privileges.

To: Individual requesting exception

From: IT Director or designee

Re: Exception to Endpoint Security Standard, 2.7 Limit Administrative Account Privileges

You have requested an exception to the Endpoint Security Standard, 2.7 Limit Administrative Account Privileges (“Restrict administrative privileges to device administrators only”). Based on your business case, this request is approved. Please note the policies and standards governing endpoint device security may change or be modified in the future.

In order to maintain administrative privileges, you must adhere to the following stipulations:

  • Administrative access is to be used only for the purpose expressly specified in the business case
    • Do not use administrative access for any other purpose, including creating local administrative accounts, elevating privileges for other accounts, creating new accounts, modifying group policy settings, modifying the system registry, or circumventing any of the existing departmental or UB policies
    • Do not make configuration changes or alterations to any of the other security standards that we are required to implement
  • Your IT support staff will handle non-urgent issues via the traditional help ticket process
    • Regular software installations, configuration changes, software and OS updates, etc. are not considered urgent. Only while you are on sabbatical or traveling is this stipulation waived
    • System modifications, updates, and similar activities that fall outside of the granted exception should continue to be performed by your IT support staff
  • Do not use the administrative account for day-to-day system use
  • Do not delegate any privileges or responsibilities

Any deviation from these stipulations will result in the revocation of your administrative access. Full administrative control of your device will revert to IT support staff.

By requesting this exception, you assume all risk and responsibility for potential security issues. Once I receive a confirmation email from you accepting these requirements, you will be granted administrative access.

Please note that these restrictions are not about trust or competence, they are about minimizing risk and exposure to the University.  The University completed an Enterprise Risk Management (ERM) assessment and these standards resulted from that initiative. In addition, system compromises and security breaches are on the rise and these standards have been implemented in order to minimize the exposure of the University. Incidents such as the ECMC ransomware breach and other campus ransomware incidents have increased our focus on security.  For more information, please review the UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices.

Thank you for understanding, and if you have any questions, please let XXX* know.

* This may be the person sending the email, or a designated point of contact. Therefore, it will be different for each node